core.certmanager: Move LuaSec verification tweaks to mod_s2s

These two settings are only really needed for XMPP server-to-server connections.
author: Kim Alvefur <zash@zash.se> 2025-02-15 00:19:01 +0100
committer: Kim Alvefur <zash@zash.se> 2025-02-15 00:19:01 +0100
commit: 346f58c9d9fe2e876a140cce1763c585a6f1bdb0 (patch)
tree: 65a284c65f431dec1e278f2650895d294e39590a /plugins
parent: f5f2755b632aef7d2646ee7db9e1b63c1cb9a099 (diff)
download: prosody-346f58c9d9fe2e876a140cce1763c585a6f1bdb0.tar.gz
prosody-346f58c9d9fe2e876a140cce1763c585a6f1bdb0.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 8eb1565e..84ae34b5 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -1097,6 +1097,10 @@ module:provides("net", {
 		-- FIXME This only applies to Direct TLS, which we don't use yet.
 		-- This gets applied for real in mod_tls
 		verify = { "peer", "client_once", };
+		verifyext = {
+			"lsec_continue", -- Continue past certificate verification errors
+			"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+		};
 	};
 	multiplex = {
 		protocol = "xmpp-server";
@@ -1111,6 +1115,10 @@ module:provides("net", {
 	encryption = "ssl";
 	ssl_config = {
 		verify = { "peer", "client_once", };
+		verifyext = {
+			"lsec_continue", -- Continue past certificate verification errors
+			"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+		};
 	};
 	multiplex = {
 		protocol = "xmpp-server";
author	Kim Alvefur <zash@zash.se>	2025-02-15 00:19:01 +0100
committer	Kim Alvefur <zash@zash.se>	2025-02-15 00:19:01 +0100
commit	346f58c9d9fe2e876a140cce1763c585a6f1bdb0 (patch)
tree	65a284c65f431dec1e278f2650895d294e39590a /plugins
parent	f5f2755b632aef7d2646ee7db9e1b63c1cb9a099 (diff)
download	prosody-346f58c9d9fe2e876a140cce1763c585a6f1bdb0.tar.gz prosody-346f58c9d9fe2e876a140cce1763c585a6f1bdb0.zip