diff plugins/mod_s2s.lua @ 13703:99d2100d2918 13.0

core.certmanager: Move LuaSec verification tweaks to mod_s2s These two settings are only really needed for XMPP server-to-server connections.
author Kim Alvefur <zash@zash.se>
date Sat, 15 Feb 2025 00:19:01 +0100
parents 750ff9f579e2
children 7c76ca78ceef
line wrap: on
line diff
--- a/plugins/mod_s2s.lua	Sat Feb 15 10:31:37 2025 +0000
+++ b/plugins/mod_s2s.lua	Sat Feb 15 00:19:01 2025 +0100
@@ -1097,6 +1097,10 @@
 		-- FIXME This only applies to Direct TLS, which we don't use yet.
 		-- This gets applied for real in mod_tls
 		verify = { "peer", "client_once", };
+		verifyext = {
+			"lsec_continue", -- Continue past certificate verification errors
+			"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+		};
 	};
 	multiplex = {
 		protocol = "xmpp-server";
@@ -1111,6 +1115,10 @@
 	encryption = "ssl";
 	ssl_config = {
 		verify = { "peer", "client_once", };
+		verifyext = {
+			"lsec_continue", -- Continue past certificate verification errors
+			"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+		};
 	};
 	multiplex = {
 		protocol = "xmpp-server";