# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1699865080 -3600
# Node ID f32faaea3461ba789a9651b374ac21ed6281c11e
# Parent  6f371066d6e0409556ba68872a3abb7835206647
util.prosodyctl.check: Update conditions for s2s cert checks

The 'anonymous_login' setting is deprecated and prosodyctl check config
will tell you to change it to 'authentication = "internal_hashed"', so
we shouldn't need to care about here anymore.

diff -r 6f371066d6e0 -r f32faaea3461 util/prosodyctl/check.lua
--- a/util/prosodyctl/check.lua	Mon Nov 13 09:43:54 2023 +0100
+++ b/util/prosodyctl/check.lua	Mon Nov 13 09:44:40 2023 +0100
@@ -1177,9 +1177,9 @@
 							print("    Not valid for client connections to "..host..".")
 							cert_ok = false
 						end
-						if modules:contains("s2s") and (not (api(host):get_option_boolean("anonymous_login", false)
-							or api(host):get_option_string("authentication", "internal_hashed") == "anonymous"))
-							and not x509_verify_identity(host, "_xmpp-server", cert) then
+						local anon = api(host):get_option_string("authentication", "internal_hashed") == "anonymous";
+						local anon_s2s = api(host):get_option_boolean("allow_anonymous_s2s", false);
+						if modules:contains("s2s") and (anon_s2s or not anon) and not x509_verify_identity(host, "_xmpp-server", cert) then
 							print("    Not valid for server-to-server connections to "..host..".")
 							cert_ok = false
 						end