diff options
| author | Kim Alvefur <zash@zash.se> | 2025-04-01 20:42:53 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2025-04-01 20:42:53 +0200 |
| commit | 5dbd3b15e42f92d211569f21a10fbfa946ef5512 (patch) | |
| tree | 0cfecc420a7a0aa9565d37fc9f691599a9e75418 /plugins | |
| parent | 7976f21e3e34f7ae1c46446dbed46115a66fa8a4 (diff) | |
| download | prosody-5dbd3b15e42f92d211569f21a10fbfa946ef5512.tar.gz prosody-5dbd3b15e42f92d211569f21a10fbfa946ef5512.zip | |
mod_s2s: Handle single message from chain validation
Setting ssl.verifyext enables a callback that collects all errors from
every layer of the certificate chain. Otherwise a single string is
returned, which we did not handle before.
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/mod_s2s.lua | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index 7beab34a..5b81cf4f 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -995,16 +995,23 @@ end -- Complete the sentence "Your certificate " with what's wrong local function friendly_cert_error(session) --> string if session.cert_chain_status == "invalid" then + local cert_errors = set.new(); + if type(session.cert_chain_errors) == "table" then - local cert_errors = set.new(session.cert_chain_errors[1]); - if cert_errors:contains("certificate has expired") then - return "has expired"; - elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then - return "is self-signed"; - elseif cert_errors:contains("no matching DANE TLSA records") then - return "does not match any DANE TLSA records"; - end + cert_errors:add_list(session.cert_chain_errors[1]); + elseif type(session.cert_chain_errors) == "string" then + cert_errors:add(session.cert_chain_errors); + end + if cert_errors:contains("certificate has expired") then + return "has expired"; + elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then + return "is self-signed"; + elseif cert_errors:contains("no matching DANE TLSA records") then + return "does not match any DANE TLSA records"; + end + + if type(session.cert_chain_errors) == "table" then local chain_errors = set.new(session.cert_chain_errors[2]); for i, e in pairs(session.cert_chain_errors) do if i > 2 then chain_errors:add_list(e); end @@ -1015,7 +1022,6 @@ local function friendly_cert_error(session) --> string return "does not match any DANE TLSA records"; end end - -- TODO cert_chain_errors can be a string, handle that return "is not trusted"; -- for some other reason elseif session.cert_identity_status == "invalid" then return "is not valid for this name"; |