Prosody IM trunk


changeset 0c44090cb168

mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied This ensures the closure reason is accurate and not reported as an authentication or other problem

author
Kim Alvefur
date
parents
children
files

1 files changed, 7 insertions(+), 0 deletions(-)

↓ Download patch

--- a/plugins/mod_s2s/mod_s2s.lua	Thu Nov 28 17:32:15 2019 +0100
+++ b/plugins/mod_s2s/mod_s2s.lua	Thu Nov 28 18:30:30 2019 +0100
@@ -190,6 +190,13 @@
 			-- so the stream is ready for stanzas.  RFC 6120 Section 4.3
 			mark_connected(session);
 			return true;
+		elseif require_encryption and not session.secure then
+			session.log("warn", "Encrypted server-to-server communication is required but was not offered by %s", session.to_host);
+			session:close({
+					condition = "policy-violation",
+					text = "Encrypted server-to-server communication is required but was not offered",
+				}, nil, "Could not establish encrypted connection to remote server");
+			return false;
 		elseif not session.dialback_verifying then
 			session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up");
 			session:close({