Diff

plugins/mod_tls.lua @ 2932:d2816fb6c7ea

mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s
author Matthew Wild <mwild1@gmail.com>
date Wed, 24 Mar 2010 20:00:22 +0000
parent 2923:b7049746bd29
child 2933:e68ff49fa79b
line wrap: on
line diff
--- a/plugins/mod_tls.lua	Mon Mar 22 17:16:28 2010 +0000
+++ b/plugins/mod_tls.lua	Wed Mar 24 20:00:22 2010 +0000
@@ -16,10 +16,13 @@
 
 local host = hosts[module.host];
 
+local starttls_attr = { xmlns = xmlns_starttls };
+
+--- Client-to-server TLS handling
 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
 		function (session, stanza)
 			if session.conn.starttls and host.ssl_ctx_in then
-				session.send(st.stanza("proceed", { xmlns = xmlns_starttls }));
+				session.send(st.stanza("proceed", starttls_attr));
 				session:reset_stream();
 				if session.host and hosts[session.host].ssl_ctx_in then
 					session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
@@ -29,31 +32,11 @@
 				session.secure = false;
 			else
 				session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
-				(session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
-				session:close();
-			end
-		end);
-		
-module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
-		function (session, stanza)
-			if session.conn.starttls and host.ssl_ctx_in then
-				session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls }));
-				session:reset_stream();
-				if session.to_host and hosts[session.to_host].ssl_ctx_in then
-					session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
-				end
-				session.conn.starttls();
-				session.log("info", "TLS negotiation started for incoming s2s...");
-				session.secure = false;
-			else
-				session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
-				(session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
+				(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
 				session:close();
 			end
 		end);
 
-
-local starttls_attr = { xmlns = xmlns_starttls };
 module:add_event_hook("stream-features", 
 		function (session, features)
 			if session.conn.starttls then
@@ -65,6 +48,32 @@
 				end
 			end
 		end);
+---
+
+-- Stop here if the user doesn't want to allow s2s encryption
+if module:get_option("s2s_allow_encryption") == false then
+	return;
+end
+
+--- Server-to-server TLS handling
+module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
+		function (session, stanza)
+			if session.conn.starttls and host.ssl_ctx_in then
+				session.sends2s(st.stanza("proceed", starttls_attr));
+				session:reset_stream();
+				if session.to_host and hosts[session.to_host].ssl_ctx_in then
+					session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
+				end
+				session.conn.starttls();
+				session.log("info", "TLS negotiation started for incoming s2s...");
+				session.secure = false;
+			else
+				session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
+				(session.sends2s or session.send)(st.stanza("failure", starttls_attr));
+				session:close();
+			end
+		end);
+
 
 module:hook("s2s-stream-features", 
 		function (data)