--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed Mar 05 17:42:15 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed Mar 05 17:44:27 2014 +0100
@@ -104,6 +104,23 @@
end
end);
+function module.add_host(module)
+ module:hook("s2s-authenticated", function(event)
+ local session = event.session;
+ local srv_hosts = session.srv_hosts;
+ local srv_choice = session.srv_choice;
+ if srv_hosts[srv_choice].dane and not session.secure then
+ -- TLSA record but no TLS, not ok.
+ session:close({
+ condition = "policy-violation",
+ text = "Encrypted server-to-server communication is required but was not "
+ ..((session.direction == "outgoing" and "offered") or "used")
+ });
+ return false;
+ end
+ end);
+end
+
function module.unload()
s2sout.try_connect = _try_connect;
end