2 files changed, 17 insertions, 10 deletions

diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 7beab34a..5b81cf4f 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -995,16 +995,23 @@ end
 -- Complete the sentence "Your certificate " with what's wrong
 local function friendly_cert_error(session) --> string
 	if session.cert_chain_status == "invalid" then
+		local cert_errors = set.new();
+
 		if type(session.cert_chain_errors) == "table" then
-			local cert_errors = set.new(session.cert_chain_errors[1]);
-			if cert_errors:contains("certificate has expired") then
-				return "has expired";
-			elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
-				return "is self-signed";
-			elseif cert_errors:contains("no matching DANE TLSA records") then
-				return "does not match any DANE TLSA records";
-			end
+			cert_errors:add_list(session.cert_chain_errors[1]);
+		elseif type(session.cert_chain_errors) == "string" then
+			cert_errors:add(session.cert_chain_errors);
+		end
 
+		if cert_errors:contains("certificate has expired") then
+			return "has expired";
+		elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
+			return "is self-signed";
+		elseif cert_errors:contains("no matching DANE TLSA records") then
+			return "does not match any DANE TLSA records";
+		end
+
+		if type(session.cert_chain_errors) == "table" then
 			local chain_errors = set.new(session.cert_chain_errors[2]);
 			for i, e in pairs(session.cert_chain_errors) do
 				if i > 2 then chain_errors:add_list(e); end
@@ -1015,7 +1022,6 @@ local function friendly_cert_error(session) --> string
 				return "does not match any DANE TLSA records";
 			end
 		end
-		-- TODO cert_chain_errors can be a string, handle that
 		return "is not trusted"; -- for some other reason
 	elseif session.cert_identity_status == "invalid" then
 		return "is not valid for this name";
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index ac215b81..a3af2f84 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -63,7 +63,8 @@ function module.load(reload)
 
 	module:log("debug", "Creating context for s2sout");
 	-- for outgoing server connections
-	ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn);
+	ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn,
+		custom_cert_verification);
 	if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end
 
 	module:log("debug", "Creating context for s2sin");