aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s.lua
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-04-25 14:36:56 +0200
committerKim Alvefur <zash@zash.se>2022-04-25 14:36:56 +0200
commit192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117 (patch)
tree3fd23a5ce783b5f47fe31a9d3f20f1d14e183fd2 /plugins/mod_s2s.lua
parent5db031e07065a5cbeded76b7b3971a089f62903f (diff)
downloadprosody-192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117.tar.gz
prosody-192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117.zip
mod_s2s: Recognise and report errors with CA or intermediate certs
Should be invoked for cases such as when the Let's Encrypt intermediate certificate expired not too long ago.
Diffstat (limited to 'plugins/mod_s2s.lua')
-rw-r--r--plugins/mod_s2s.lua8
1 files changed, 8 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index b9cd5fcd..3e86e94c 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -918,6 +918,14 @@ local function friendly_cert_error(session) --> string
elseif cert_errors:contains("self signed certificate") then
return "is self-signed";
end
+
+ local chain_errors = set.new(session.cert_chain_errors[2]);
+ for i, e in pairs(session.cert_chain_errors) do
+ if i > 2 then chain_errors:add_list(e); end
+ end
+ if chain_errors:contains("certificate has expired") then
+ return "has an expired certificate chain";
+ end
end
return "is not trusted"; -- for some other reason
elseif session.cert_identity_status == "invalid" then