# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1650890514 -7200
# Node ID bb85be686a0182a763cf2a28071c8c6bc168ef9d
# Parent  48121960983e2c74f86c4dac42b40e45626fb750
mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors

Otherwise it would just report "is not trusted" unless you inspect the
logs. This message is sent to to the remote server, and will hopefully
show up in their logs, allowing the admin to fix their DANE setup.

diff -r 48121960983e -r bb85be686a01 plugins/mod_s2s.lua
--- a/plugins/mod_s2s.lua	Mon Apr 25 14:36:56 2022 +0200
+++ b/plugins/mod_s2s.lua	Mon Apr 25 14:41:54 2022 +0200
@@ -925,6 +925,8 @@
 			end
 			if chain_errors:contains("certificate has expired") then
 				return "has an expired certificate chain";
+			elseif chain_errors:contains("No matching DANE TLSA records") then
+				return "does not match any DANE TLSA records";
 			end
 		end
 		return "is not trusted"; -- for some other reason