Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied
authorKim Alvefur <zash@zash.se>
Thu, 28 Nov 2019 18:30:30 +0100
changeset 10461 0c44090cb168
parent 10460 2ab1cbb1c6b0
child 10462 602dd1e2f399
mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied This ensures the closure reason is accurate and not reported as an authentication or other problem
plugins/mod_s2s/mod_s2s.lua file | annotate | diff | comparison | revisions 
--- a/plugins/mod_s2s/mod_s2s.lua	Thu Nov 28 17:32:15 2019 +0100
+++ b/plugins/mod_s2s/mod_s2s.lua	Thu Nov 28 18:30:30 2019 +0100
@@ -190,6 +190,13 @@
 			-- so the stream is ready for stanzas.  RFC 6120 Section 4.3
 			mark_connected(session);
 			return true;
+		elseif require_encryption and not session.secure then
+			session.log("warn", "Encrypted server-to-server communication is required but was not offered by %s", session.to_host);
+			session:close({
+					condition = "policy-violation",
+					text = "Encrypted server-to-server communication is required but was not offered",
+				}, nil, "Could not establish encrypted connection to remote server");
+			return false;
 		elseif not session.dialback_verifying then
 			session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up");
 			session:close({
prosody