prosody
bb85be686a01
plugins/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s.lua @ 12473:bb85be686a01
mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors
Otherwise it would just report "is not trusted" unless you inspect the
logs. This message is sent to to the remote server, and will hopefully
show up in their logs, allowing the admin to fix their DANE setup.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 25 Apr 2022 14:41:54 +0200 |
| parent | 12472:48121960983e |
| child | 12476:d8a6e03a7161 |
comparison
equal
deleted
inserted
replaced
| 12472:48121960983e | 12473:bb85be686a01 |
|---|---|
| 923 for i, e in pairs(session.cert_chain_errors) do | 923 for i, e in pairs(session.cert_chain_errors) do |
| 924 if i > 2 then chain_errors:add_list(e); end | 924 if i > 2 then chain_errors:add_list(e); end |
| 925 end | 925 end |
| 926 if chain_errors:contains("certificate has expired") then | 926 if chain_errors:contains("certificate has expired") then |
| 927 return "has an expired certificate chain"; | 927 return "has an expired certificate chain"; |
| 928 elseif chain_errors:contains("No matching DANE TLSA records") then | |
| 929 return "does not match any DANE TLSA records"; | |
| 928 end | 930 end |
| 929 end | 931 end |
| 930 return "is not trusted"; -- for some other reason | 932 return "is not trusted"; -- for some other reason |
| 931 elseif session.cert_identity_status == "invalid" then | 933 elseif session.cert_identity_status == "invalid" then |
| 932 return "is not valid for this name"; | 934 return "is not valid for this name"; |
