Software / code / prosody
Changeset
10457:0c44090cb168
mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied
This ensures the closure reason is accurate and not reported as an
authentication or other problem
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 28 Nov 2019 18:30:30 +0100 |
| parents | 10456:2ab1cbb1c6b0 |
| children | 10458:602dd1e2f399 |
| files | plugins/mod_s2s/mod_s2s.lua |
| diffstat | 1 files changed, 7 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_s2s/mod_s2s.lua Thu Nov 28 17:32:15 2019 +0100 +++ b/plugins/mod_s2s/mod_s2s.lua Thu Nov 28 18:30:30 2019 +0100 @@ -190,6 +190,13 @@ -- so the stream is ready for stanzas. RFC 6120 Section 4.3 mark_connected(session); return true; + elseif require_encryption and not session.secure then + session.log("warn", "Encrypted server-to-server communication is required but was not offered by %s", session.to_host); + session:close({ + condition = "policy-violation", + text = "Encrypted server-to-server communication is required but was not offered", + }, nil, "Could not establish encrypted connection to remote server"); + return false; elseif not session.dialback_verifying then session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up"); session:close({
