# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1394037867 -3600
# Node ID bb6f3312ab461570f8aa9732d4c9cee407c0dd04
# Parent  8d99b9c4cf0cdd8b1d483c1d324d7dd9606da042
mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists

diff -r 8d99b9c4cf0c -r bb6f3312ab46 mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:42:15 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:44:27 2014 +0100
@@ -104,6 +104,23 @@
 	end
 end);
 
+function module.add_host(module)
+	module:hook("s2s-authenticated", function(event)
+		local session = event.session;
+		local srv_hosts = session.srv_hosts;
+		local srv_choice = session.srv_choice;
+		if srv_hosts[srv_choice].dane and not session.secure then
+			-- TLSA record but no TLS, not ok.
+			session:close({
+				condition = "policy-violation",
+				text = "Encrypted server-to-server communication is required but was not "
+					..((session.direction == "outgoing" and "offered") or "used")
+			});
+			return false;
+		end
+	end);
+end
+
 function module.unload()
 	s2sout.try_connect = _try_connect;
 end