Changeset

--- a/plugins/mod_s2s.lua	Tue Apr 01 18:15:34 2025 +0200
+++ b/plugins/mod_s2s.lua	Tue Apr 01 20:42:53 2025 +0200
@@ -995,16 +995,23 @@
 -- Complete the sentence "Your certificate " with what's wrong
 local function friendly_cert_error(session) --> string
 	if session.cert_chain_status == "invalid" then
+		local cert_errors = set.new();
+
 		if type(session.cert_chain_errors) == "table" then
-			local cert_errors = set.new(session.cert_chain_errors[1]);
-			if cert_errors:contains("certificate has expired") then
-				return "has expired";
-			elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
-				return "is self-signed";
-			elseif cert_errors:contains("no matching DANE TLSA records") then
-				return "does not match any DANE TLSA records";
-			end
+			cert_errors:add_list(session.cert_chain_errors[1]);
+		elseif type(session.cert_chain_errors) == "string" then
+			cert_errors:add(session.cert_chain_errors);
+		end
 
+		if cert_errors:contains("certificate has expired") then
+			return "has expired";
+		elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
+			return "is self-signed";
+		elseif cert_errors:contains("no matching DANE TLSA records") then
+			return "does not match any DANE TLSA records";
+		end
+
+		if type(session.cert_chain_errors) == "table" then
 			local chain_errors = set.new(session.cert_chain_errors[2]);
 			for i, e in pairs(session.cert_chain_errors) do
 				if i > 2 then chain_errors:add_list(e); end
@@ -1015,7 +1022,6 @@
 				return "does not match any DANE TLSA records";
 			end
 		end
-		-- TODO cert_chain_errors can be a string, handle that
 		return "is not trusted"; -- for some other reason
 	elseif session.cert_identity_status == "invalid" then
 		return "is not valid for this name";