# HG changeset patch # User Kim Alvefur # Date 1743535531 -7200 # Node ID a91440ddf9a27b35e2497956180e3bbff5fc5afe # Parent 3627980e7df6bec96b093ca06bdc038eabbe17e1# Parent eef9a2a53dcbb0c2d73554eb5851082d87e4f05d Merge 13.0->trunk diff -r 3627980e7df6 -r a91440ddf9a2 plugins/mod_s2s.lua --- a/plugins/mod_s2s.lua Tue Apr 01 18:31:26 2025 +0200 +++ b/plugins/mod_s2s.lua Tue Apr 01 21:25:31 2025 +0200 @@ -995,16 +995,23 @@ -- Complete the sentence "Your certificate " with what's wrong local function friendly_cert_error(session) --> string if session.cert_chain_status == "invalid" then + local cert_errors = set.new(); + if type(session.cert_chain_errors) == "table" then - local cert_errors = set.new(session.cert_chain_errors[1]); - if cert_errors:contains("certificate has expired") then - return "has expired"; - elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then - return "is self-signed"; - elseif cert_errors:contains("no matching DANE TLSA records") then - return "does not match any DANE TLSA records"; - end + cert_errors:add_list(session.cert_chain_errors[1]); + elseif type(session.cert_chain_errors) == "string" then + cert_errors:add(session.cert_chain_errors); + end + if cert_errors:contains("certificate has expired") then + return "has expired"; + elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then + return "is self-signed"; + elseif cert_errors:contains("no matching DANE TLSA records") then + return "does not match any DANE TLSA records"; + end + + if type(session.cert_chain_errors) == "table" then local chain_errors = set.new(session.cert_chain_errors[2]); for i, e in pairs(session.cert_chain_errors) do if i > 2 then chain_errors:add_list(e); end @@ -1015,7 +1022,6 @@ return "does not match any DANE TLSA records"; end end - -- TODO cert_chain_errors can be a string, handle that return "is not trusted"; -- for some other reason elseif session.cert_identity_status == "invalid" then return "is not valid for this name"; diff -r 3627980e7df6 -r a91440ddf9a2 plugins/mod_tls.lua --- a/plugins/mod_tls.lua Tue Apr 01 18:31:26 2025 +0200 +++ b/plugins/mod_tls.lua Tue Apr 01 21:25:31 2025 +0200 @@ -63,7 +63,8 @@ module:log("debug", "Creating context for s2sout"); -- for outgoing server connections - ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn); + ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn, + custom_cert_verification); if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end module:log("debug", "Creating context for s2sin");