# HG changeset patch # User Kim Alvefur # Date 1659461186 -7200 # Node ID 9184fe3d489aaac09abc849e8339cb6105a95bdb # Parent 72f7bb3f30d36bb69a5a22e8b1a183887f0a235c mod_tls: Record STARTTLS state so it can be shown in Shell This field can be viewed using s2s:show(nil, "... starttls") even without any special support in mod_admin_shell, which can be added later to make it nicer. One can then assume that a TLS connection with an empty / nil starttls field means Direct TLS. diff -r 72f7bb3f30d3 -r 9184fe3d489a plugins/mod_s2s.lua --- a/plugins/mod_s2s.lua Tue Aug 02 16:08:43 2022 +0200 +++ b/plugins/mod_s2s.lua Tue Aug 02 19:26:26 2022 +0200 @@ -429,7 +429,8 @@ session.had_stream = true; -- Had a stream opened at least once -- TODO: Rename session.secure to session.encrypted - if session.secure == false then + if session.secure == false then -- Set by mod_tls during STARTTLS handshake + session.starttls = "completed"; session_secure(session); end @@ -750,6 +751,7 @@ local w = conn.write; if conn:ssl() then + -- Direct TLS was used session_secure(session); end diff -r 72f7bb3f30d3 -r 9184fe3d489a plugins/mod_tls.lua --- a/plugins/mod_tls.lua Tue Aug 02 16:08:43 2022 +0200 +++ b/plugins/mod_tls.lua Tue Aug 02 19:26:26 2022 +0200 @@ -128,6 +128,7 @@ -- Hook module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event) local origin = event.origin; + origin.starttls = "requested"; if can_do_tls(origin) then if origin.conn.block_reads then -- we need to ensure that no data is read anymore, otherwise we could end up in a situation where @@ -176,6 +177,7 @@ module:log("debug", "%s is not offering TLS", session.to_host); return; end + session.starttls = "initiated"; session.sends2s(starttls_initiate); return true; end @@ -193,6 +195,7 @@ if session.type == "s2sout_unauthed" and can_do_tls(session) then module:log("debug", "Proceeding with TLS on s2sout..."); session:reset_stream(); + session.starttls = "proceeding" session.conn:starttls(session.ssl_ctx, session.to_host); session.secure = false; return true;