net.server_epoll: Support for passing DANE TLSA data to LuaSec (0.8 needed)

1 files changed, 14 insertions, 0 deletions

diff --git a/net/server_epoll.lua b/net/server_epoll.lua
index b079bdd2..d289558c 100644
--- a/net/server_epoll.lua
+++ b/net/server_epoll.lua
@@ -13,6 +13,7 @@ local pcall = pcall;
 local type = type;
 local next = next;
 local pairs = pairs;
+local ipairs = ipairs;
 local traceback = debug.traceback;
 local logger = require "util.logger";
 local log = logger.init("server_epoll");
@@ -585,6 +586,19 @@ function interface:tlshandshake()
 				conn:sni(self._server.hosts, true);
 			end
 		end
+		if self.extra and self.extra.tlsa and conn.settlsa then
+			-- TODO Error handling
+			if not conn:setdane(self.servername or self.extra.dane_hostname) then
+				self:debug("Could not enable DANE on connection");
+			else
+				self:debug("Enabling DANE with %d TLSA records", #self.extra.tlsa);
+				self:noise("DANE hostname is %q", self.servername or self.extra.dane_hostname);
+				for _, tlsa in ipairs(self.extra.tlsa) do
+					self:noise("TLSA: %q", tlsa);
+					conn:settlsa(tlsa.use, tlsa.select, tlsa.match, tlsa.data);
+				end
+			end
+		end
 		self:on("starttls");
 		self.ondrain = nil;
 		self.onwritable = interface.tlshandshake;