900 title = "Certificate"; |
900 title = "Certificate"; |
901 description = "Validation status of certificate"; |
901 description = "Validation status of certificate"; |
902 key = "cert_identity_status"; |
902 key = "cert_identity_status"; |
903 width = math.max(#"Expired", #"Self-signed", #"Untrusted", #"Mismatched", #"Unknown"); |
903 width = math.max(#"Expired", #"Self-signed", #"Untrusted", #"Mismatched", #"Unknown"); |
904 mapper = function(cert_status, session) |
904 mapper = function(cert_status, session) |
905 if cert_status then return capitalize(cert_status); end |
905 if cert_status == "invalid" then |
906 if session.cert_chain_status == "invalid" then |
906 -- non-nil cert_identity_status implies valid chain, which covers just |
|
907 -- about every error condition except mismatched certificate names |
|
908 return "Mismatched"; |
|
909 elseif cert_status then |
|
910 -- basically only "valid" |
|
911 return capitalize(cert_status); |
|
912 end |
|
913 -- no certificate status, |
|
914 if session.cert_chain_errors then |
907 local cert_errors = set.new(session.cert_chain_errors[1]); |
915 local cert_errors = set.new(session.cert_chain_errors[1]); |
908 if cert_errors:contains("certificate has expired") then |
916 if cert_errors:contains("certificate has expired") then |
909 return "Expired"; |
917 return "Expired"; |
910 elseif cert_errors:contains("self signed certificate") then |
918 elseif cert_errors:contains("self signed certificate") then |
911 return "Self-signed"; |
919 return "Self-signed"; |
912 end |
920 end |
|
921 -- Some other cert issue, or something up the chain |
|
922 -- TODO borrow more logic from mod_s2s/friendly_cert_error() |
913 return "Untrusted"; |
923 return "Untrusted"; |
914 elseif session.cert_identity_status == "invalid" then |
|
915 return "Mismatched"; |
|
916 end |
924 end |
917 return "Unknown"; |
925 return "Unknown"; |
918 end; |
926 end; |
919 }; |
927 }; |
920 sni = { |
928 sni = { |