diff options
author | Kim Alvefur <zash@zash.se> | 2022-04-25 14:41:54 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2022-04-25 14:41:54 +0200 |
commit | f40337890ee71a17a80f86af3e2789f3a508b94d (patch) | |
tree | 427b53d83f9260453f7e9e443fb5284a04990600 | |
parent | 192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117 (diff) | |
download | prosody-f40337890ee71a17a80f86af3e2789f3a508b94d.tar.gz prosody-f40337890ee71a17a80f86af3e2789f3a508b94d.zip |
mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors
Otherwise it would just report "is not trusted" unless you inspect the
logs. This message is sent to to the remote server, and will hopefully
show up in their logs, allowing the admin to fix their DANE setup.
-rw-r--r-- | plugins/mod_s2s.lua | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index 3e86e94c..5f60e01c 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -925,6 +925,8 @@ local function friendly_cert_error(session) --> string end if chain_errors:contains("certificate has expired") then return "has an expired certificate chain"; + elseif chain_errors:contains("No matching DANE TLSA records") then + return "does not match any DANE TLSA records"; end end return "is not trusted"; -- for some other reason |