mod_s2s: Improve policy check

author Kim Alvefur <zash@zash.se>

Mon, 5 Aug 2013 18:47:38 +0000 (20:47 +0200)

committer Kim Alvefur <zash@zash.se>

Mon, 5 Aug 2013 18:47:38 +0000 (20:47 +0200)
author Kim Alvefur <zash@zash.se>
Mon, 5 Aug 2013 18:47:38 +0000 (20:47 +0200)
committer Kim Alvefur <zash@zash.se>
Mon, 5 Aug 2013 18:47:38 +0000 (20:47 +0200)
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua

index ccf8501299b73c6a2b098c6ea4e80c9864648442..950155268557483bd93a1a75800629699834f11a 100644 (file)
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -642,7 +642,7 @@ function check_auth_policy(event)
                 must_secure = false;
         end
         
-       if must_secure and not session.cert_identity_status then
+       if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
                 module:log("warn", "Forbidding insecure connection to/from %s", host);
                 if session.direction == "incoming" then
                         session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host });
author	Kim Alvefur <zash@zash.se>
	Mon, 5 Aug 2013 18:47:38 +0000 (20:47 +0200)
committer	Kim Alvefur <zash@zash.se>
	Mon, 5 Aug 2013 18:47:38 +0000 (20:47 +0200)