-
- if not secure_auth and secure_domains[host] then
- secure_auth = true;
- elseif secure_auth and insecure_domains[host] then
- secure_auth = false;
- end
-
- if secure_auth and not session.cert_identity_status then
- module:log("warn", "Forbidding insecure connection to/from %s", host);
- session:close(false);
+ local must_secure = secure_auth;
+
+ if not must_secure and secure_domains[host] then
+ must_secure = true;
+ elseif must_secure and insecure_domains[host] then
+ must_secure = false;
+ end
+
+ if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
+ module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)");
+ if session.direction == "incoming" then
+ session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host });
+ else -- Close outgoing connections without warning
+ session:close(false);
+ end