# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1630515924 -7200
# Node ID 6ad335cd43f904b5a856abbfb4029092ff8bc827
# Parent  1cac469b18d037ed46d209a8868e4b73ddafd020
mod_tls: Attempt STARTTLS on outgoing unencrypted legacy s2s connections

As suggested by RFC 7590

diff -r 1cac469b18d0 -r 6ad335cd43f9 plugins/mod_tls.lua
--- a/plugins/mod_tls.lua	Sat Sep 04 14:39:31 2021 +0200
+++ b/plugins/mod_tls.lua	Wed Sep 01 19:05:24 2021 +0200
@@ -165,6 +165,14 @@
 	end
 end, 500);
 
+module:hook("s2sout-authenticate-legacy", function(event)
+	local session = event.origin;
+	if s2s_require_encryption and can_do_tls(session) then
+		session.sends2s(starttls_initiate);
+		return true;
+	end
+end, 200);
+
 module:hook_tag(xmlns_starttls, "proceed", function (session, stanza) -- luacheck: ignore 212/stanza
 	if session.type == "s2sout_unauthed" and can_do_tls(session) then
 		module:log("debug", "Proceeding with TLS on s2sout...");