Software / code / prosody-modules
Changeset
1944:1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 05 Nov 2015 15:38:31 +0100 |
| parents | 1943:7e04ca0aa757 |
| children | 1945:e5039f14e2a7 |
| files | mod_s2s_auth_dane/mod_s2s_auth_dane.lua |
| diffstat | 1 files changed, 4 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Nov 05 14:10:11 2015 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Nov 05 15:38:31 2015 +0100 @@ -267,8 +267,8 @@ local use = tlsa.use; if enabled_uses:contains(use) then - -- PKIX-EE or DANE-EE - if use == 1 or use == 3 then + -- DANE-EE or PKIX-EE + if use == 3 or (use == 1 and session.cert_chain_status == "valid") then -- Should we check if the cert subject matches? local is_match = one_dane_check(tlsa, cert); if is_match ~= nil then @@ -284,7 +284,8 @@ match_found = true; break; end - elseif use == 0 or use == 2 then + -- DANE-TA or PKIX-CA + elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then supported_found = true; local chain = session.conn:socket():getpeerchain(); for c = 1, #chain do
