From 47ec51ca0761ccb2b775a364a04811c4ee66e3a6 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 4 Aug 2013 17:33:00 +0200
Subject: mod_s2s: Log certificate identity validation result

---
 plugins/mod_s2s/mod_s2s.lua | 1 +
 1 file changed, 1 insertion(+)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 5a2af968..ccf85012 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -255,6 +255,7 @@ local function check_cert_status(session)
 				else
 					session.cert_identity_status = "invalid"
 				end
+				(session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status);
 			end
 		end
 	end
-- 
cgit v1.2.3


From bb9aa809b19f95a01e8a721255cd076f80e5417d Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 5 Aug 2013 20:47:38 +0200
Subject: mod_s2s: Improve policy check

---
 plugins/mod_s2s/mod_s2s.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index ccf85012..95015526 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -642,7 +642,7 @@ function check_auth_policy(event)
 		must_secure = false;
 	end
 	
-	if must_secure and not session.cert_identity_status then
+	if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
 		module:log("warn", "Forbidding insecure connection to/from %s", host);
 		if session.direction == "incoming" then
 			session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host });
-- 
cgit v1.2.3


From a316833b30b2e58f75ca808f0006c877b52f7d01 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 6 Aug 2013 14:32:31 +0200
Subject: mod_admin_telnet, mod_s2s: Fix reporting of certificate chain
 validation details

---
 plugins/mod_s2s/mod_s2s.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins/mod_s2s')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 95015526..bb46cd2f 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -239,7 +239,7 @@ local function check_cert_status(session)
 		-- Is there any interest in printing out all/the number of errors here?
 		if not chain_valid then
 			(session.log or log)("debug", "certificate chain validation result: invalid");
-			for depth, t in ipairs(errors or NULL) do
+			for depth, t in pairs(errors or NULL) do
 				(session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
 			end
 			session.cert_chain_status = "invalid";
-- 
cgit v1.2.3