diff options
| author | Kim Alvefur <zash@zash.se> | 2022-04-25 14:36:56 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2022-04-25 14:36:56 +0200 |
| commit | 192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117 (patch) | |
| tree | 3fd23a5ce783b5f47fe31a9d3f20f1d14e183fd2 | |
| parent | 5db031e07065a5cbeded76b7b3971a089f62903f (diff) | |
| download | prosody-192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117.tar.gz prosody-192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117.zip | |
mod_s2s: Recognise and report errors with CA or intermediate certs
Should be invoked for cases such as when the Let's Encrypt intermediate
certificate expired not too long ago.
| -rw-r--r-- | plugins/mod_s2s.lua | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index b9cd5fcd..3e86e94c 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -918,6 +918,14 @@ local function friendly_cert_error(session) --> string elseif cert_errors:contains("self signed certificate") then return "is self-signed"; end + + local chain_errors = set.new(session.cert_chain_errors[2]); + for i, e in pairs(session.cert_chain_errors) do + if i > 2 then chain_errors:add_list(e); end + end + if chain_errors:contains("certificate has expired") then + return "has an expired certificate chain"; + end end return "is not trusted"; -- for some other reason elseif session.cert_identity_status == "invalid" then |