Software / code / prosody
Changeset
10456:2ab1cbb1c6b0
mod_s2s: Send stream errors for cert problems on outgoing connections
Rationale in comment.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 28 Nov 2019 17:32:15 +0100 |
| parents | 10455:698ff3610e57 |
| children | 10457:0c44090cb168 |
| files | plugins/mod_s2s/mod_s2s.lua |
| diffstat | 1 files changed, 7 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_s2s/mod_s2s.lua Wed Nov 27 23:26:59 2019 +0100 +++ b/plugins/mod_s2s/mod_s2s.lua Thu Nov 28 17:32:15 2019 +0100 @@ -758,12 +758,13 @@ if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)"); local reason = friendly_cert_error(session); - if session.direction == "incoming" then - session:close({ condition = "not-authorized", text = "Your server's certificate "..reason }, - nil, "Remote server's certificate "..reason); - else -- Close outgoing connections without warning - session:close(false, nil, "Remote server's certificate "..reason); - end + -- XEP-0178 recommends closing outgoing connections without warning + -- but does not give a rationale for this. + -- In practice most cases are configuration mistakes or forgotten + -- certificate renewals. We think it's better to let the other party + -- know about the problem so that they can fix it. + session:close({ condition = "not-authorized", text = "Your server's certificate "..reason }, + nil, "Remote server's certificate "..reason); return false; end end
