--- a/mod_sasl2/mod_sasl2.lua Sun Nov 27 00:34:00 2022 +0100
+++ b/mod_sasl2/mod_sasl2.lua Mon Nov 28 11:35:15 2022 +0000
@@ -18,6 +18,7 @@
local xmlns_sasl2 = "urn:xmpp:sasl:2";
+local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
@@ -44,6 +45,9 @@
if origin.type ~= "c2s_unauthed" then
log("debug", "Already authenticated");
return
+ elseif secure_auth_only and not origin.secure then
+ log("debug", "Not offering authentication on insecure connection");
+ return;
end
local sasl_handler = usermanager_get_sasl_handler(host, origin)
@@ -187,6 +191,9 @@
end
module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
+ if secure_auth_only and not session.secure then
+ return handle_status(session, "failure", "encryption-required");
+ end
local sasl_handler = session.sasl_handler;
if not sasl_handler then
sasl_handler = usermanager_get_sasl_handler(host, session);