diff options
author | Kim Alvefur <zash@zash.se> | 2022-04-25 14:36:56 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2022-04-25 14:36:56 +0200 |
commit | 192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117 (patch) | |
tree | 3fd23a5ce783b5f47fe31a9d3f20f1d14e183fd2 /plugins/mod_s2s.lua | |
parent | 5db031e07065a5cbeded76b7b3971a089f62903f (diff) | |
download | prosody-192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117.tar.gz prosody-192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117.zip |
mod_s2s: Recognise and report errors with CA or intermediate certs
Should be invoked for cases such as when the Let's Encrypt intermediate
certificate expired not too long ago.
Diffstat (limited to 'plugins/mod_s2s.lua')
-rw-r--r-- | plugins/mod_s2s.lua | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index b9cd5fcd..3e86e94c 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -918,6 +918,14 @@ local function friendly_cert_error(session) --> string elseif cert_errors:contains("self signed certificate") then return "is self-signed"; end + + local chain_errors = set.new(session.cert_chain_errors[2]); + for i, e in pairs(session.cert_chain_errors) do + if i > 2 then chain_errors:add_list(e); end + end + if chain_errors:contains("certificate has expired") then + return "has an expired certificate chain"; + end end return "is not trusted"; -- for some other reason elseif session.cert_identity_status == "invalid" then |