mod_s2s_auth_certs: Validate certificates against secure SRV targets
Secure delegation or "Mini-DANE"
As with the existing DANE support, only usable in one direction, client
certificate authentication will fail if this is relied on.
--- a/plugins/mod_s2s_auth_certs.lua Thu Dec 22 00:11:23 2022 +0100
+++ b/plugins/mod_s2s_auth_certs.lua Thu Dec 22 00:13:37 2022 +0100
@@ -12,6 +12,8 @@
local conn = session.conn;
local log = session.log or log;
+ local secure_hostname = conn.extra and conn.extra.secure_hostname;
+
if not cert then
log("warn", "No certificate provided by %s", host or "unknown host");
return;
@@ -45,6 +47,14 @@
end
log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
+
+ -- Check for DNSSEC-signed SRV hostname
+ if secure_hostname and session.cert_identity_status ~= "valid" then
+ if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
+ module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
+ session.cert_identity_status = "valid"
+ end
+ end
end
measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);