--- a/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua Sat Aug 03 12:38:22 2013 +0200
+++ b/mod_s2s_auth_fingerprint/mod_s2s_auth_fingerprint.lua Sun Aug 04 18:12:52 2013 +0200
@@ -4,6 +4,7 @@
module:set_global();
local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
+local must_match = module:get_option_boolean("s2s_pin_fingerprints", false);
local fingerprints = {};
@@ -27,12 +28,16 @@
local session, host, cert = event.session, event.host, event.cert;
local host_fingerprints = fingerprints[host];
- if cert and host_fingerprints then
- local digest = cert:digest(digest_algo);
+ if host_fingerprints then
+ local digest = cert and cert:digest(digest_algo);
if host_fingerprints[digest] then
session.cert_chain_status = "valid";
session.cert_identity_status = "valid";
return true;
+ elseif must_match then
+ session.cert_chain_status = "invalid";
+ session.cert_identity_status = "invalid";
+ return false;
end
end
end);