prosody
e128ed4494f3
plugins/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s.lua @ 13804:e128ed4494f3 13.0
mod_s2s: Handle single message from chain validation
Setting ssl.verifyext enables a callback that collects all errors from
every layer of the certificate chain. Otherwise a single string is
returned, which we did not handle before.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 01 Apr 2025 20:42:53 +0200 |
| parent | 13802:7c76ca78ceef |
comparison
equal
deleted
inserted
replaced
| 13802:7c76ca78ceef | 13804:e128ed4494f3 |
|---|---|
| 993 end | 993 end |
| 994 | 994 |
| 995 -- Complete the sentence "Your certificate " with what's wrong | 995 -- Complete the sentence "Your certificate " with what's wrong |
| 996 local function friendly_cert_error(session) --> string | 996 local function friendly_cert_error(session) --> string |
| 997 if session.cert_chain_status == "invalid" then | 997 if session.cert_chain_status == "invalid" then |
| 998 local cert_errors = set.new(); | |
| 999 | |
| 998 if type(session.cert_chain_errors) == "table" then | 1000 if type(session.cert_chain_errors) == "table" then |
| 999 local cert_errors = set.new(session.cert_chain_errors[1]); | 1001 cert_errors:add_list(session.cert_chain_errors[1]); |
| 1000 if cert_errors:contains("certificate has expired") then | 1002 elseif type(session.cert_chain_errors) == "string" then |
| 1001 return "has expired"; | 1003 cert_errors:add(session.cert_chain_errors); |
| 1002 elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then | 1004 end |
| 1003 return "is self-signed"; | 1005 |
| 1004 elseif cert_errors:contains("no matching DANE TLSA records") then | 1006 if cert_errors:contains("certificate has expired") then |
| 1005 return "does not match any DANE TLSA records"; | 1007 return "has expired"; |
| 1006 end | 1008 elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then |
| 1007 | 1009 return "is self-signed"; |
| 1010 elseif cert_errors:contains("no matching DANE TLSA records") then | |
| 1011 return "does not match any DANE TLSA records"; | |
| 1012 end | |
| 1013 | |
| 1014 if type(session.cert_chain_errors) == "table" then | |
| 1008 local chain_errors = set.new(session.cert_chain_errors[2]); | 1015 local chain_errors = set.new(session.cert_chain_errors[2]); |
| 1009 for i, e in pairs(session.cert_chain_errors) do | 1016 for i, e in pairs(session.cert_chain_errors) do |
| 1010 if i > 2 then chain_errors:add_list(e); end | 1017 if i > 2 then chain_errors:add_list(e); end |
| 1011 end | 1018 end |
| 1012 if chain_errors:contains("certificate has expired") then | 1019 if chain_errors:contains("certificate has expired") then |
| 1013 return "has an expired certificate chain"; | 1020 return "has an expired certificate chain"; |
| 1014 elseif chain_errors:contains("no matching DANE TLSA records") then | 1021 elseif chain_errors:contains("no matching DANE TLSA records") then |
| 1015 return "does not match any DANE TLSA records"; | 1022 return "does not match any DANE TLSA records"; |
| 1016 end | 1023 end |
| 1017 end | 1024 end |
| 1018 -- TODO cert_chain_errors can be a string, handle that | |
| 1019 return "is not trusted"; -- for some other reason | 1025 return "is not trusted"; -- for some other reason |
| 1020 elseif session.cert_identity_status == "invalid" then | 1026 elseif session.cert_identity_status == "invalid" then |
| 1021 return "is not valid for this name"; | 1027 return "is not valid for this name"; |
| 1022 end | 1028 end |
| 1023 -- this should normally be unreachable except if no s2s auth module was loaded | 1029 -- this should normally be unreachable except if no s2s auth module was loaded |
