Software / code / prosody-modules
Changeset
1757:d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 21 May 2015 10:28:02 +0200 |
| parents | 1756:c619425dafe7 |
| children | 1758:7ba877e2d660 |
| files | mod_s2s_auth_dane/mod_s2s_auth_dane.lua |
| diffstat | 1 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue May 19 23:30:39 2015 +0200 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu May 21 10:28:02 2015 +0200 @@ -294,7 +294,10 @@ log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); if use == 2 then -- DANE-TA session.cert_identity_status = "valid"; - session.cert_chain_status = "valid"; + if cert_verify_identity(host, "xmpp-server", cert) then + session.cert_chain_status = "valid"; + -- else -- TODO Check against SRV target? + end -- for usage 0, PKIX-CA, identity and chain has to be valid already end match_found = true;
