mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Nov 01 18:12:49 2015 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Nov 05 14:10:11 2015 +0100
@@ -98,12 +98,12 @@
local n = answer.n or #answer;
if n == 0 then
- -- No SRV records, we could proceed with the domainname and
- -- default port but that will currently not work properly since
- -- mod_s2s doesn't keep the answer around for that
- return cb(host_session);
- end
- if n == 1 and answer[1].srv.target == '.' then
+ -- No SRV records, synthesize fallback host and port
+ -- this may behave oddly for connections in the other direction if
+ -- mod_s2s doesn't keep the answer around
+ answer[1] = { srv = { target = name, port = 5269 } };
+ n = 1;
+ elseif n == 1 and answer[1].srv.target == '.' then
return cb(host_session); -- No service ... This shouldn't happen?
end
local srv_hosts = { answer = answer };
@@ -162,9 +162,10 @@
local srv_hosts = host_session.srv_hosts;
if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then
return; -- No secure SRV records, fall back to non-DANE mode
+ -- Empty response were not kept by older mod_s2s/s2sout
end
-- Do TLSA lookup for currently selected SRV record
- local srv_choice = srv_hosts[host_session.srv_choice];
+ local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 };
host_session.dane = dns_lookup(function(answer)
if answer and ((answer.secure and #answer > 0) or answer.bogus) then
srv_choice.dane = answer;