--- a/core/certmanager.lua	Thu Nov 20 09:02:23 2014 +0000
+++ b/core/certmanager.lua	Thu Nov 20 15:01:47 2014 +0100
@@ -137,8 +137,10 @@
 		else
 			log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
 		end
+	else
+		err = nil;
 	end
-	return ctx, err;
+	return ctx, err or user_ssl_config;
 end
 
 function reload_ssl_config()

--- a/net/http/parser.lua	Thu Nov 20 09:02:23 2014 +0000
+++ b/net/http/parser.lua	Thu Nov 20 15:01:47 2014 +0100
@@ -132,7 +132,7 @@
 								state, chunk_size = nil, nil;
 								buf = buf:gsub("^.-\r\n\r\n", ""); -- This ensure extensions and trailers are stripped
 								success_cb(packet);
-							elseif #buf - chunk_start + 2 >= chunk_size then -- we have a chunk
+							elseif #buf - chunk_start - 2 >= chunk_size then -- we have a chunk
 								packet.body = packet.body..buf:sub(chunk_start, chunk_start + (chunk_size-1));
 								buf = buf:sub(chunk_start + chunk_size + 2);
 								chunk_size, chunk_start = nil, nil;
@@ -140,11 +140,11 @@
 								break;
 							end
 						elseif len and #buf >= len then
-                                                       if packet.code == 101 then
-                                                               packet.body, buf = buf, ""
-                                                       else
-                                                               packet.body, buf = buf:sub(1, len), buf:sub(len + 1);
-                                                       end
+							if packet.code == 101 then
+								packet.body, buf = buf, "";
+							else
+								packet.body, buf = buf:sub(1, len), buf:sub(len + 1);
+							end
 							state = nil; success_cb(packet);
 						else
 							break;

--- a/plugins/mod_saslauth.lua	Thu Nov 20 09:02:23 2014 +0000
+++ b/plugins/mod_saslauth.lua	Thu Nov 20 15:01:47 2014 +0100
@@ -214,6 +214,10 @@
 	return true;
 end);
 
+local function tls_unique(self)
+	return self.userdata["tls-unique"]:getpeerfinished();
+end
+
 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
@@ -223,19 +227,23 @@
 		if secure_auth_only and not origin.secure then
 			return;
 		end
-		origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin);
+		local sasl_handler = usermanager_get_sasl_handler(module.host, origin)
+		origin.sasl_handler = sasl_handler;
 		if origin.encrypted then
 			-- check wether LuaSec has the nifty binding to the function needed for tls-unique
 			-- FIXME: would be nice to have this check only once and not for every socket
-			if origin.conn:socket().getpeerfinished and origin.sasl_handler.add_cb_handler then
-				origin.sasl_handler:add_cb_handler("tls-unique", function(self)
-					return self.userdata:getpeerfinished();
-				end);
-				origin.sasl_handler["userdata"] = origin.conn:socket();
+			if sasl_handler.add_cb_handler then
+				local socket = origin.conn:socket();
+				if socket.getpeerfinished then
+					sasl_handler:add_cb_handler("tls-unique", tls_unique);
+				end
+				sasl_handler["userdata"] = {
+					["tls-unique"] = socket;
+				};
 			end
 		end
 		local mechanisms = st.stanza("mechanisms", mechanisms_attr);
-		for mechanism in pairs(origin.sasl_handler:mechanisms()) do
+		for mechanism in pairs(sasl_handler:mechanisms()) do
 			if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then
 				mechanisms:tag("mechanism"):text(mechanism):up();
 			end

--- a/plugins/mod_tls.lua	Thu Nov 20 09:02:23 2014 +0000
+++ b/plugins/mod_tls.lua	Thu Nov 20 15:01:47 2014 +0100
@@ -32,8 +32,9 @@
 local host = hosts[module.host];
 
 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin;
+local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin;
 do
-	local NULL, err = {};
+	local NULL = {};
 	local global = module:context("*");
 	local parent = module:context(module.host:match("%.(.*)$"));
 
@@ -48,12 +49,14 @@
 	local parent_s2s = parent:get_option("s2s_ssl", NULL);
 	local host_s2s   = module:get_option("s2s_ssl", parent_s2s);
 
-	ssl_ctx_c2s, err = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
-	if err then module:log("error", "Error creating context for c2s: %s", err); end
+	ssl_ctx_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections
+	if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", ssl_cfg_c2s); end
 
-	ssl_ctx_s2sin, err = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
-	ssl_ctx_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
-	if err then module:log("error", "Error creating context for s2s: %s", err); end -- Both would have the same issue
+	ssl_ctx_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections
+	if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", ssl_cfg_s2sin); end
+
+	ssl_ctx_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections
+	if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", ssl_cfg_s2sin); end
 end
 
 local function can_do_tls(session)
@@ -64,10 +67,13 @@
 	end
 	if session.type == "c2s_unauthed" then
 		session.ssl_ctx = ssl_ctx_c2s;
+		session.ssl_cfg = ssl_cfg_c2s;
 	elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
 		session.ssl_ctx = ssl_ctx_s2sin;
+		session.ssl_cfg = ssl_cfg_s2sin;
 	elseif session.direction == "outgoing" and allow_s2s_tls then
 		session.ssl_ctx = ssl_ctx_s2sout;
+		session.ssl_cfg = ssl_cfg_s2sout;
 	else
 		return false;
 	end