aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-04-25 14:41:54 +0200
committerKim Alvefur <zash@zash.se>2022-04-25 14:41:54 +0200
commitf40337890ee71a17a80f86af3e2789f3a508b94d (patch)
tree427b53d83f9260453f7e9e443fb5284a04990600
parent192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117 (diff)
downloadprosody-f40337890ee71a17a80f86af3e2789f3a508b94d.tar.gz
prosody-f40337890ee71a17a80f86af3e2789f3a508b94d.zip
mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors
Otherwise it would just report "is not trusted" unless you inspect the logs. This message is sent to to the remote server, and will hopefully show up in their logs, allowing the admin to fix their DANE setup.
-rw-r--r--plugins/mod_s2s.lua2
1 files changed, 2 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 3e86e94c..5f60e01c 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -925,6 +925,8 @@ local function friendly_cert_error(session) --> string
end
if chain_errors:contains("certificate has expired") then
return "has an expired certificate chain";
+ elseif chain_errors:contains("No matching DANE TLSA records") then
+ return "does not match any DANE TLSA records";
end
end
return "is not trusted"; -- for some other reason