aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s/mod_s2s.lua
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2013-08-06 14:35:03 +0200
committerKim Alvefur <zash@zash.se>2013-08-06 14:35:03 +0200
commit323683f4074f73a3a21ca71b7691d29a05716a14 (patch)
tree43e921f6bd3937398e258a64aa064ae01360625e /plugins/mod_s2s/mod_s2s.lua
parentaffa1690f4a7c003a3eac9b42ff0dfe72d92201e (diff)
parent2d80fe3bbd1722cc703390bd9055902f7dd843bf (diff)
downloadprosody-323683f4074f73a3a21ca71b7691d29a05716a14.tar.gz
prosody-323683f4074f73a3a21ca71b7691d29a05716a14.zip
Merge 0.9->trunk
Diffstat (limited to 'plugins/mod_s2s/mod_s2s.lua')
-rw-r--r--plugins/mod_s2s/mod_s2s.lua5
1 files changed, 3 insertions, 2 deletions
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index b6614d2f..c628dc47 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -246,7 +246,7 @@ local function check_cert_status(session)
-- Is there any interest in printing out all/the number of errors here?
if not chain_valid then
(session.log or log)("debug", "certificate chain validation result: invalid");
- for depth, t in ipairs(errors or NULL) do
+ for depth, t in pairs(errors or NULL) do
(session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
end
session.cert_chain_status = "invalid";
@@ -262,6 +262,7 @@ local function check_cert_status(session)
else
session.cert_identity_status = "invalid"
end
+ (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
end
end
@@ -658,7 +659,7 @@ function check_auth_policy(event)
must_secure = false;
end
- if must_secure and not session.cert_identity_status then
+ if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
module:log("warn", "Forbidding insecure connection to/from %s", host);
if session.direction == "incoming" then
session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host });