961 local cert_errors = set.new(session.cert_chain_errors[1]); |
961 local cert_errors = set.new(session.cert_chain_errors[1]); |
962 if cert_errors:contains("certificate has expired") then |
962 if cert_errors:contains("certificate has expired") then |
963 return "has expired"; |
963 return "has expired"; |
964 elseif cert_errors:contains("self signed certificate") then |
964 elseif cert_errors:contains("self signed certificate") then |
965 return "is self-signed"; |
965 return "is self-signed"; |
|
966 elseif cert_errors:contains("no matching DANE TLSA records") then |
|
967 return "does not match any DANE TLSA records"; |
966 end |
968 end |
967 |
969 |
968 local chain_errors = set.new(session.cert_chain_errors[2]); |
970 local chain_errors = set.new(session.cert_chain_errors[2]); |
969 for i, e in pairs(session.cert_chain_errors) do |
971 for i, e in pairs(session.cert_chain_errors) do |
970 if i > 2 then chain_errors:add_list(e); end |
972 if i > 2 then chain_errors:add_list(e); end |
971 end |
973 end |
972 if chain_errors:contains("certificate has expired") then |
974 if chain_errors:contains("certificate has expired") then |
973 return "has an expired certificate chain"; |
975 return "has an expired certificate chain"; |
974 elseif chain_errors:contains("No matching DANE TLSA records") then |
976 elseif chain_errors:contains("no matching DANE TLSA records") then |
975 return "does not match any DANE TLSA records"; |
977 return "does not match any DANE TLSA records"; |
976 end |
978 end |
977 end |
979 end |
978 return "is not trusted"; -- for some other reason |
980 return "is not trusted"; -- for some other reason |
979 elseif session.cert_identity_status == "invalid" then |
981 elseif session.cert_identity_status == "invalid" then |