Software /
code /
prosody-modules
Comparison
mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1757:d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 21 May 2015 10:28:02 +0200 |
parent | 1701:9b429fc9e8a0 |
child | 1758:7ba877e2d660 |
comparison
equal
deleted
inserted
replaced
1756:c619425dafe7 | 1757:d011b87b7f58 |
---|---|
292 end | 292 end |
293 if is_match and cacert:issued(cert, unpack(chain)) then | 293 if is_match and cacert:issued(cert, unpack(chain)) then |
294 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); | 294 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
295 if use == 2 then -- DANE-TA | 295 if use == 2 then -- DANE-TA |
296 session.cert_identity_status = "valid"; | 296 session.cert_identity_status = "valid"; |
297 session.cert_chain_status = "valid"; | 297 if cert_verify_identity(host, "xmpp-server", cert) then |
298 session.cert_chain_status = "valid"; | |
299 -- else -- TODO Check against SRV target? | |
300 end | |
298 -- for usage 0, PKIX-CA, identity and chain has to be valid already | 301 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
299 end | 302 end |
300 match_found = true; | 303 match_found = true; |
301 break; | 304 break; |
302 end | 305 end |