--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Jun 12 12:31:50 2014 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Jun 13 02:19:52 2014 +0200
@@ -182,7 +182,7 @@
local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
for i = 1, #dane do
tlsa = dane[i].tlsa;
- module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
+ module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
use = tlsa.use;
if enabled_uses:contains(use) then
@@ -194,7 +194,7 @@
supported_found = true;
end
if is_match then
- log("info", "DANE validation successful");
+ log("info", "DANE validated ok using %s", tlsa:getUsage());
session.cert_identity_status = "valid";
if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
session.cert_chain_status = "valid";
@@ -219,7 +219,7 @@
break;
end
if is_match then
- log("info", "DANE validation successful");
+ log("info", "DANE validated ok using %s", tlsa:getUsage());
if use == 2 then -- DANE-TA
session.cert_identity_status = "valid";
session.cert_chain_status = "valid";
@@ -235,7 +235,11 @@
end
if supported_found and not match_found or dane.bogus then
-- No TLSA matched or response was bogus
- log("warn", "DANE validation failed");
+ local why = "No TLSA matched certificate";
+ if dane.bogus then
+ why = "Bogus: "..tostring(dane.bogus);
+ end
+ log("warn", "DANE validation failed: %s", why);
session.cert_identity_status = "invalid";
session.cert_chain_status = "invalid";
end