# HG changeset patch # User Kim Alvefur # Date 1642786958 -3600 # Node ID 65e252940337f55aa5489b2a24e82e16561f4d06 # Parent 77ac0d96ac24c6c6a0ce851c893de670dffa3ffd mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tls So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that. diff -r 77ac0d96ac24 -r 65e252940337 plugins/mod_s2s.lua --- a/plugins/mod_s2s.lua Fri Jan 21 17:59:19 2022 +0100 +++ b/plugins/mod_s2s.lua Fri Jan 21 18:42:38 2022 +0100 @@ -218,14 +218,18 @@ log("debug", "stanza [%s] queued until connection complete", stanza.name); -- FIXME Cleaner solution to passing extra data from resolvers to net.server -- This mt-clone allows resolvers to add extra data, currently used for DANE TLSA records + module:context(from_host):fire_event("s2sout-created", { session = host_session }); local xmpp_extra = setmetatable({}, s2s_service_options_mt); - local sslctx = require"core.certmanager".create_context(from_host, "client"); -- TODO this should live in mod_tls ? - local xmpps_extra = setmetatable({ default_port = false; servername = to_host; sslctx = sslctx }, s2s_service_options_mt); - local direct_and_normal = resolver_chain.new({ - service.new(to_host, "xmpps-server", "tcp", xmpps_extra); - service.new(to_host, "xmpp-server", "tcp", xmpp_extra); - }); - connect(direct_and_normal, listener, nil, { session = host_session }); + local resolver = service.new(to_host, "xmpp-server", "tcp", xmpp_extra); + if host_session.ssl_ctx then + local sslctx = host_session.ssl_ctx; + local xmpps_extra = setmetatable({ default_port = false; servername = to_host; sslctx = sslctx }, s2s_service_options_mt); + resolver = resolver_chain.new({ + service.new(to_host, "xmpps-server", "tcp", xmpps_extra); + resolver; + }); + end + connect(resolver, listener, nil, { session = host_session }); m_initiated_connections:with_labels(from_host):add(1) return true; end diff -r 77ac0d96ac24 -r 65e252940337 plugins/mod_tls.lua --- a/plugins/mod_tls.lua Fri Jan 21 17:59:19 2022 +0100 +++ b/plugins/mod_tls.lua Fri Jan 21 18:42:38 2022 +0100 @@ -79,7 +79,7 @@ module:hook_global("config-reloaded", module.load); local function can_do_tls(session) - if not session.conn.starttls then + if session.conn and not session.conn.starttls then if not session.secure then session.log("debug", "Underlying connection does not support STARTTLS"); end @@ -116,6 +116,11 @@ return session.ssl_ctx; end +module:hook("s2sout-created", function (event) + -- Initialize TLS context for outgoing connections + can_do_tls(event.session); +end); + -- Hook module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event) local origin = event.origin;