# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1739635051 -3600
# Node ID 1f428259544ca0faeaf8eeba31f0caa65f415729
# Parent  4b83dbcddcff12f737d9a449e3db1342cf927e6d# Parent  99d2100d29187ea550eafa7b6a97f18d9ecb131a
Merge 13.0->trunk

diff -r 4b83dbcddcff -r 1f428259544c core/certmanager.lua
--- a/core/certmanager.lua	Sat Feb 15 10:34:26 2025 +0000
+++ b/core/certmanager.lua	Sat Feb 15 16:57:31 2025 +0100
@@ -189,10 +189,6 @@
 		single_ecdh_use = tls.features.options.single_ecdh_use;
 		no_renegotiation = tls.features.options.no_renegotiation;
 	};
-	verifyext = {
-		"lsec_continue", -- Continue past certificate verification errors
-		"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
-	};
 	curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1";
 	curveslist = {
 		"X25519",
diff -r 4b83dbcddcff -r 1f428259544c plugins/mod_s2s.lua
--- a/plugins/mod_s2s.lua	Sat Feb 15 10:34:26 2025 +0000
+++ b/plugins/mod_s2s.lua	Sat Feb 15 16:57:31 2025 +0100
@@ -1097,6 +1097,10 @@
 		-- FIXME This only applies to Direct TLS, which we don't use yet.
 		-- This gets applied for real in mod_tls
 		verify = { "peer", "client_once", };
+		verifyext = {
+			"lsec_continue", -- Continue past certificate verification errors
+			"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+		};
 	};
 	multiplex = {
 		protocol = "xmpp-server";
@@ -1111,6 +1115,10 @@
 	encryption = "ssl";
 	ssl_config = {
 		verify = { "peer", "client_once", };
+		verifyext = {
+			"lsec_continue", -- Continue past certificate verification errors
+			"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+		};
 	};
 	multiplex = {
 		protocol = "xmpp-server";