mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors
Otherwise it would just report "is not trusted" unless you inspect the
logs. This message is sent to to the remote server, and will hopefully
show up in their logs, allowing the admin to fix their DANE setup.
--- a/plugins/mod_s2s.lua Mon Apr 25 14:36:56 2022 +0200
+++ b/plugins/mod_s2s.lua Mon Apr 25 14:41:54 2022 +0200
@@ -925,6 +925,8 @@
end
if chain_errors:contains("certificate has expired") then
return "has an expired certificate chain";
+ elseif chain_errors:contains("No matching DANE TLSA records") then
+ return "does not match any DANE TLSA records";
end
end
return "is not trusted"; -- for some other reason