# HG changeset patch # User Kim Alvefur # Date 1743532973 -7200 # Node ID e128ed4494f349dad44d5d86dadb2405ba5839f5 # Parent 7c76ca78ceef5336170ad4a9b4f070e1f111d239 mod_s2s: Handle single message from chain validation Setting ssl.verifyext enables a callback that collects all errors from every layer of the certificate chain. Otherwise a single string is returned, which we did not handle before. diff -r 7c76ca78ceef -r e128ed4494f3 plugins/mod_s2s.lua --- a/plugins/mod_s2s.lua Tue Apr 01 18:15:34 2025 +0200 +++ b/plugins/mod_s2s.lua Tue Apr 01 20:42:53 2025 +0200 @@ -995,16 +995,23 @@ -- Complete the sentence "Your certificate " with what's wrong local function friendly_cert_error(session) --> string if session.cert_chain_status == "invalid" then + local cert_errors = set.new(); + if type(session.cert_chain_errors) == "table" then - local cert_errors = set.new(session.cert_chain_errors[1]); - if cert_errors:contains("certificate has expired") then - return "has expired"; - elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then - return "is self-signed"; - elseif cert_errors:contains("no matching DANE TLSA records") then - return "does not match any DANE TLSA records"; - end + cert_errors:add_list(session.cert_chain_errors[1]); + elseif type(session.cert_chain_errors) == "string" then + cert_errors:add(session.cert_chain_errors); + end + if cert_errors:contains("certificate has expired") then + return "has expired"; + elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then + return "is self-signed"; + elseif cert_errors:contains("no matching DANE TLSA records") then + return "does not match any DANE TLSA records"; + end + + if type(session.cert_chain_errors) == "table" then local chain_errors = set.new(session.cert_chain_errors[2]); for i, e in pairs(session.cert_chain_errors) do if i > 2 then chain_errors:add_list(e); end @@ -1015,7 +1022,6 @@ return "does not match any DANE TLSA records"; end end - -- TODO cert_chain_errors can be a string, handle that return "is not trusted"; -- for some other reason elseif session.cert_identity_status == "invalid" then return "is not valid for this name";