--- a/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua Wed Feb 26 13:08:47 2014 -0800
+++ b/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua Fri Feb 28 15:36:06 2014 +0100
@@ -5,6 +5,7 @@
local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
+local tofu = module:get_option_boolean("s2s_tofu", false);
local fingerprints = {};
@@ -38,5 +39,20 @@
session.cert_chain_status = "invalid";
session.cert_identity_status = "invalid";
end
+ elseif tofu
+ and ( session.cert_chain_status ~= "valid"
+ or session.cert_identity_status ~= "valid" ) then
+ local digest = cert and cert:digest(digest_algo);
+ fingerprints[host] = {
+ [digest] = true;
+ }
end
end);
+
+function module.save()
+ return { fingerprints = fingerprints };
+end
+
+function module.restore(state)
+ fingerprints = state.fingerprints;
+end