prosody
ad66ee47b674
plugins/mod_s2s/mod_s2s.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_s2s/mod_s2s.lua @ 5594:ad66ee47b674

mod_s2s: Fix interaction between s2s_secure_auth and s2s_require_encryption, in particular ensure that when s2s_require_encryption is NOT set, do not require encryption on s2s_insecure_domains.
author Matthew Wild <mwild1@gmail.com>
date Sat, 18 May 2013 12:02:25 +0100
parent 5533:df3c78221f26
child 5636:d323932ecf18
child 5766:e6a9085f0ac3
comparison
equal deleted inserted replaced
5577:8b09b0d068d4 5594:ad66ee47b674
35 local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); 35 local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5);
36 local opt_keepalives = module:get_option_boolean("s2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); 36 local opt_keepalives = module:get_option_boolean("s2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true));
37 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); -- One day... 37 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); -- One day...
38 local secure_domains, insecure_domains = 38 local secure_domains, insecure_domains =
39 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; 39 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
40 local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth); 40 local require_encryption = module:get_option_boolean("s2s_require_encryption", false);
41 41
42 local sessions = module:shared("sessions"); 42 local sessions = module:shared("sessions");
43 43
44 local log = module._log; 44 local log = module._log;
45 45
183 end 183 end
184 184
185 function make_authenticated(event) 185 function make_authenticated(event)
186 local session, host = event.session, event.host; 186 local session, host = event.session, event.host;
187 if not session.secure then 187 if not session.secure then
188 if require_encryption or secure_auth or secure_domains[host] then 188 if require_encryption or (secure_auth and not(insecure_domains[host])) or secure_domains[host] then
189 session:close({ 189 session:close({
190 condition = "policy-violation", 190 condition = "policy-violation",
191 text = "Encrypted server-to-server communication is required but was not " 191 text = "Encrypted server-to-server communication is required but was not "
192 ..((session.direction == "outgoing" and "offered") or "used") 192 ..((session.direction == "outgoing" and "offered") or "used")
193 }); 193 });