Changeset

1944:1950fa6aa0c0

mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
author Kim Alvefur <zash@zash.se>
date Thu, 05 Nov 2015 15:38:31 +0100
parents 1943:7e04ca0aa757
children 1945:e5039f14e2a7
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu Nov 05 14:10:11 2015 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu Nov 05 15:38:31 2015 +0100
@@ -267,8 +267,8 @@
 			local use = tlsa.use;
 
 			if enabled_uses:contains(use) then
-				-- PKIX-EE or DANE-EE
-				if use == 1 or use == 3 then
+				-- DANE-EE or PKIX-EE
+				if use == 3 or (use == 1 and session.cert_chain_status == "valid") then
 					-- Should we check if the cert subject matches?
 					local is_match = one_dane_check(tlsa, cert);
 					if is_match ~= nil then
@@ -284,7 +284,8 @@
 						match_found = true;
 						break;
 					end
-				elseif use == 0 or use == 2 then
+				-- DANE-TA or PKIX-CA
+				elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then
 					supported_found = true;
 					local chain = session.conn:socket():getpeerchain();
 					for c = 1, #chain do