mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 13.0->trunk

Browse source
This commit is contained in:
Kim Alvefur 2025-04-01 21:25:31 +02:00
commit 9877db0ede
2 changed files with 18 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

26
plugins/mod_s2s.lua
View file

@ -995,16 +995,23 @@ end
-- Complete the sentence "Your certificate " with what's wrong
local function friendly_cert_error(session) --> string
if session.cert_chain_status == "invalid" then
if type(session.cert_chain_errors) == "table" then
local cert_errors = set.new(session.cert_chain_errors[1]);
if cert_errors:contains("certificate has expired") then
return "has expired";
elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
return "is self-signed";
elseif cert_errors:contains("no matching DANE TLSA records") then
return "does not match any DANE TLSA records";
end
local cert_errors = set.new();
if type(session.cert_chain_errors) == "table" then
cert_errors:add_list(session.cert_chain_errors[1]);
elseif type(session.cert_chain_errors) == "string" then
cert_errors:add(session.cert_chain_errors);
end
if cert_errors:contains("certificate has expired") then
return "has expired";
elseif cert_errors:contains("self signed certificate") or cert_errors:contains("self-signed certificate") then
return "is self-signed";
elseif cert_errors:contains("no matching DANE TLSA records") then
return "does not match any DANE TLSA records";
end
if type(session.cert_chain_errors) == "table" then
local chain_errors = set.new(session.cert_chain_errors[2]);
for i, e in pairs(session.cert_chain_errors) do
if i > 2 then chain_errors:add_list(e); end
@ -1015,7 +1022,6 @@ local function friendly_cert_error(session) --> string
return "does not match any DANE TLSA records";
end
end
-- TODO cert_chain_errors can be a string, handle that
return "is not trusted"; -- for some other reason
elseif session.cert_identity_status == "invalid" then
return "is not valid for this name";

3
plugins/mod_tls.lua
View file

@ -63,7 +63,8 @@ function module.load(reload)
module:log("debug", "Creating context for s2sout");
-- for outgoing server connections
ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn);
ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, xmpp_alpn,
custom_cert_verification);
if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end
module:log("debug", "Creating context for s2sin");