From f40337890ee71a17a80f86af3e2789f3a508b94d Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 25 Apr 2022 14:41:54 +0200
Subject: mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors

Otherwise it would just report "is not trusted" unless you inspect the
logs. This message is sent to to the remote server, and will hopefully
show up in their logs, allowing the admin to fix their DANE setup.
---
 plugins/mod_s2s.lua | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'plugins')

diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 3e86e94c..5f60e01c 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -925,6 +925,8 @@ local function friendly_cert_error(session) --> string
 			end
 			if chain_errors:contains("certificate has expired") then
 				return "has an expired certificate chain";
+			elseif chain_errors:contains("No matching DANE TLSA records") then
+				return "does not match any DANE TLSA records";
 			end
 		end
 		return "is not trusted"; -- for some other reason
-- 
cgit v1.2.3