# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1650890216 -7200
# Node ID 48121960983e2c74f86c4dac42b40e45626fb750
# Parent  a3b12eeedd4beb2bd5dd52c8e7c299b4cb912078
mod_s2s: Recognise and report errors with CA or intermediate certs

Should be invoked for cases such as when the Let's Encrypt intermediate
certificate expired not too long ago.

diff -r a3b12eeedd4b -r 48121960983e plugins/mod_s2s.lua
--- a/plugins/mod_s2s.lua	Sun Apr 24 16:17:32 2022 +0200
+++ b/plugins/mod_s2s.lua	Mon Apr 25 14:36:56 2022 +0200
@@ -918,6 +918,14 @@
 			elseif cert_errors:contains("self signed certificate") then
 				return "is self-signed";
 			end
+
+			local chain_errors = set.new(session.cert_chain_errors[2]);
+			for i, e in pairs(session.cert_chain_errors) do
+				if i > 2 then chain_errors:add_list(e); end
+			end
+			if chain_errors:contains("certificate has expired") then
+				return "has an expired certificate chain";
+			end
 		end
 		return "is not trusted"; -- for some other reason
 	elseif session.cert_identity_status == "invalid" then