diff options
| author | Kim Alvefur <zash@zash.se> | 2025-04-01 21:25:31 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2025-04-01 21:25:31 +0200 |
| commit | 9877db0ede2eba822569f0795151b9c51471325e (patch) | |
| tree | e7ef46a6b2116dae0f31e24061bbe417d6645301 /plugins | |
| parent | 126262edb30d67f15abd18097f28d9e0a5898ef9 (diff) | |
| parent | 1d47e2fab1437d6a92e3e3084338425633520f2e (diff) | |
| download | prosody-origin/master.tar.gz prosody-origin/master.zip | |
Merge 13.0->trunkHEADorigin/mastermaster
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/mod_s2s.lua | 24 | ||||
| -rw-r--r-- | plugins/mod_tls.lua | 3 |
2 files changed, 17 insertions, 10 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index 7beab34a..5b81cf4f 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -995,16 +995,23 @@ end -- Complete the sentence "Your certificate " with what's wrong local function friendly_cert_error(session) --> string if session.cert_chain_status == "invalid" then + local cert_errors = set.new(); + if type(session.cert_chain_errors) == "table" then - local cert_errors = set.new(session.cert_chain_errors[1]); - if cert_errors:contains("certificate has expired") then - return "has expired"; - elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then - return "is self-signed"; - elseif cert_errors:contains("no matching DANE TLSA records") then - return "does not match any DANE TLSA records"; - end + cert_errors:add_list(session.cert_chain_errors[1]); + elseif type(session.cert_chain_errors) == "string" then + cert_errors:add(session.cert_chain_errors); + end + if cert_errors:contains("certificate has expired") then + return "has expired"; + elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then + return "is self-signed"; + elseif cert_errors:contains("no matching DANE TLSA records") then + return "does not match any DANE TLSA records"; + end + + if type(session.cert_chain_errors) == "table" then local chain_errors = set.new(session.cert_chain_errors[2]); for i, e in pairs(session.cert_chain_errors) do if i > 2 then chain_errors:add_list(e); end @@ -1015,7 +1022,6 @@ local function friendly_cert_error(session) --> string return "does not match any DANE TLSA records"; end end - -- TODO cert_chain_errors can be a string, handle that return "is not trusted"; -- for some other reason elseif session.cert_identity_status == "invalid" then return "is not valid for this name"; diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index ac215b81..a3af2f84 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -63,7 +63,8 @@ function module.load(reload) module:log("debug", "Creating context for s2sout"); -- for outgoing server connections - ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn); + ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn, + custom_cert_verification); if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end module:log("debug", "Creating context for s2sin"); |