# HG changeset patch # User Kim Alvefur # Date 1708793150 -3600 # Node ID 783706350faa83d5778ee5e31c46e30d2a054fa5 # Parent 98a6ec4ce14090aa8592833082dc07229ca21b45 mod_s2s: Comment on why we avoid hostnames in stanza bounce messages diff -r 98a6ec4ce140 -r 783706350faa plugins/mod_s2s.lua --- a/plugins/mod_s2s.lua Sat Feb 24 14:35:17 2024 +0100 +++ b/plugins/mod_s2s.lua Sat Feb 24 17:45:50 2024 +0100 @@ -1015,6 +1015,8 @@ -- In practice most cases are configuration mistakes or forgotten -- certificate renewals. We think it's better to let the other party -- know about the problem so that they can fix it. + -- + -- Note: Bounce message must not include name of server, as it may leak half your JID in semi-anon MUCs. session:close({ condition = "not-authorized", text = "Your server's certificate "..reason }, nil, "Remote server's certificate "..reason); return false;