Changeset

1330:bb6f3312ab46

mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
author Kim Alvefur <zash@zash.se>
date Wed, 05 Mar 2014 17:44:27 +0100
parents 1329:8d99b9c4cf0c
children 1331:dbaa67babeb4
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 17 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:42:15 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:44:27 2014 +0100
@@ -104,6 +104,23 @@
 	end
 end);
 
+function module.add_host(module)
+	module:hook("s2s-authenticated", function(event)
+		local session = event.session;
+		local srv_hosts = session.srv_hosts;
+		local srv_choice = session.srv_choice;
+		if srv_hosts[srv_choice].dane and not session.secure then
+			-- TLSA record but no TLS, not ok.
+			session:close({
+				condition = "policy-violation",
+				text = "Encrypted server-to-server communication is required but was not "
+					..((session.direction == "outgoing" and "offered") or "used")
+			});
+			return false;
+		end
+	end);
+end
+
 function module.unload()
 	s2sout.try_connect = _try_connect;
 end