Diff

plugins/mod_admin_shell.lua @ 13089:41598b7ec543

mod_admin_shell: Refactor 'cert' column Removes some dead code and hopefully simplifies a bit. There's a tree of possibilities with the two tri-state status properties, something like chain: * nil -- cert validation disabled? * invalid -- something wrong with the chain (including ee cert) * valid -- chain ok cert: * nil -- incomplete validation?? * invalid -- mismatched names or such * valid -- all good!
author Kim Alvefur <zash@zash.se>
date Sun, 30 Apr 2023 23:45:55 +0200
parent 13079:e7a5e5a0dc02
child 13104:8c786880e28d
line wrap: on
line diff
--- a/plugins/mod_admin_shell.lua	Sun Apr 23 10:42:07 2023 +0200
+++ b/plugins/mod_admin_shell.lua	Sun Apr 30 23:45:55 2023 +0200
@@ -902,17 +902,25 @@
 		key = "cert_identity_status";
 		width = math.max(#"Expired", #"Self-signed", #"Untrusted", #"Mismatched", #"Unknown");
 		mapper = function(cert_status, session)
-			if cert_status then return capitalize(cert_status); end
-			if session.cert_chain_status == "invalid" then
+			if cert_status == "invalid" then
+				-- non-nil cert_identity_status implies valid chain, which covers just
+				-- about every error condition except mismatched certificate names
+				return "Mismatched";
+			elseif cert_status then
+				-- basically only "valid"
+				return capitalize(cert_status);
+			end
+			-- no certificate status,
+			if session.cert_chain_errors then
 				local cert_errors = set.new(session.cert_chain_errors[1]);
 				if cert_errors:contains("certificate has expired") then
 					return "Expired";
 				elseif cert_errors:contains("self signed certificate") then
 					return "Self-signed";
 				end
+				-- Some other cert issue, or something up the chain
+				-- TODO borrow more logic from mod_s2s/friendly_cert_error()
 				return "Untrusted";
-			elseif session.cert_identity_status == "invalid" then
-				return "Mismatched";
 			end
 			return "Unknown";
 		end;