Changeset

4328:c71777a8b9c7

mod_admin_telnet: Update to newer luasec. Matthew is responsible for figuring out a nice way to print out the whole chain O:)
author Paul Aurich <paul@darkrain42.org>
date Mon, 06 Dec 2010 21:46:36 -0800 (2010-12-07)
parents 4327:98ae0d0b4d07
children 4329:d8b2c97ae6ed
files plugins/mod_admin_telnet.lua
diffstat 1 files changed, 30 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/plugins/mod_admin_telnet.lua	Tue Jun 28 17:00:50 2011 +0100
+++ b/plugins/mod_admin_telnet.lua	Mon Dec 06 21:46:36 2010 -0800
@@ -573,6 +573,20 @@
 	end
 end
 
+-- As much as it pains me to use the 0-based depths that OpenSSL does,
+-- I think there's going to be more confusion among operators if we
+-- break from that.
+local function print_errors(print, errors)
+	for depth, t in ipairs(errors) do
+		print(
+			("    %d: %s"):format(
+				depth-1,
+				table.concat(t, "\n|        ")
+			)
+		);
+	end
+end
+
 function def_env.s2s:showcert(domain)
 	local ser = require "util.serialization".serialize;
 	local print = self.session.print;
@@ -588,16 +602,17 @@
 	for session in domain_sessions do
 		local conn = session.conn;
 		conn = conn and conn:socket();
-		if not conn.getpeercertificate then
+		if not conn.getpeerchain then
 			if conn.dohandshake then
 				error("This version of LuaSec does not support certificate viewing");
 			end
 		else
-			local cert = conn:getpeercertificate();
+			local certs = conn:getpeerchain();
+			local cert = certs[1];
 			if cert then
 				local digest = cert:digest("sha1");
 				if not cert_set[digest] then
-					local chain_valid, chain_err = conn:getpeerchainvalid();
+					local chain_valid, chain_errors = conn:getpeerverification();
 					cert_set[digest] = {
 						{
 						  from = session.from_host,
@@ -605,8 +620,8 @@
 						  direction = session.direction
 						};
 						chain_valid = chain_valid;
-						chain_err = chain_err;
-						cert = cert;
+						chain_errors = chain_errors;
+						certs = certs;
 					};
 				else
 					table.insert(cert_set[digest], {
@@ -635,7 +650,8 @@
 	end
 	
 	for cert_info in values(domain_certs) do
-		local cert = cert_info.cert;
+		local certs = cert_info.certs;
+		local cert = certs[1];
 		print("---")
 		print("Fingerprint (SHA1): "..pretty_fingerprint(cert:digest("sha1")));
 		print("");
@@ -649,9 +665,15 @@
 			end
 		end
 		print("");
-		local chain_valid, err = cert_info.chain_valid, cert_info.chain_err;
+		local chain_valid, errors = cert_info.chain_valid, cert_info.chain_errors;
 		local valid_identity = cert_verify_identity(domain, "xmpp-server", cert);
-		print("Trusted certificate: "..(chain_valid and "Yes" or ("No ("..err..")")));
+		if chain_valid then
+			print("Trusted certificate: Yes");
+		else
+			print("Trusted certificate: No");
+			print_errors(print, errors);
+		end
+		print("");
 		print("Issuer: ");
 		print_subject(print, cert:issuer());
 		print("");