mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 13:47:41 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_s2s: Handle single message from chain validation

Browse source 
Setting ssl.verifyext enables a callback that collects all errors from
every layer of the certificate chain. Otherwise a single string is
returned, which we did not handle before.
This commit is contained in:
Kim Alvefur 2025-04-01 20:42:53 +02:00
parent 7976f21e3e
commit 5dbd3b15e4
1 changed files with 16 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

26
plugins/mod_s2s.lua
View file

@ -995,16 +995,23 @@ end
-- Complete the sentence "Your certificate " with what's wrong -- Complete the sentence "Your certificate " with what's wrong
local function friendly_cert_error(session) --> string local function friendly_cert_error(session) --> string
if session.cert_chain_status == "invalid" then if session.cert_chain_status == "invalid" then
if type(session.cert_chain_errors) == "table" then local cert_errors = set.new();
local cert_errors = set.new(session.cert_chain_errors[1]);
if cert_errors:contains("certificate has expired") then
return "has expired";
elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
return "is self-signed";
elseif cert_errors:contains("no matching DANE TLSA records") then
return "does not match any DANE TLSA records";
end
if type(session.cert_chain_errors) == "table" then
cert_errors:add_list(session.cert_chain_errors[1]);
elseif type(session.cert_chain_errors) == "string" then
cert_errors:add(session.cert_chain_errors);
end
if cert_errors:contains("certificate has expired") then
return "has expired";
elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
return "is self-signed";
elseif cert_errors:contains("no matching DANE TLSA records") then
return "does not match any DANE TLSA records";
end
if type(session.cert_chain_errors) == "table" then
local chain_errors = set.new(session.cert_chain_errors[2]); local chain_errors = set.new(session.cert_chain_errors[2]);
for i, e in pairs(session.cert_chain_errors) do for i, e in pairs(session.cert_chain_errors) do
if i > 2 then chain_errors:add_list(e); end if i > 2 then chain_errors:add_list(e); end
@ -1015,7 +1022,6 @@ local function friendly_cert_error(session) --> string
return "does not match any DANE TLSA records"; return "does not match any DANE TLSA records";
end end
end end
-- TODO cert_chain_errors can be a string, handle that
return "is not trusted"; -- for some other reason return "is not trusted"; -- for some other reason
elseif session.cert_identity_status == "invalid" then elseif session.cert_identity_status == "invalid" then
return "is not valid for this name"; return "is not valid for this name";