aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2019-11-28 18:30:30 +0100
committerKim Alvefur <zash@zash.se>2019-11-28 18:30:30 +0100
commit61228e919ce13247321c04b6b32020d2652d58ba (patch)
tree2c6af4b374d3d61988a6914586e97555fe0582c4
parent976a86ee4645baf3e4ef8e0f8e6066fc62e8f379 (diff)
downloadprosody-61228e919ce13247321c04b6b32020d2652d58ba.tar.gz
prosody-61228e919ce13247321c04b6b32020d2652d58ba.zip
mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied
This ensures the closure reason is accurate and not reported as an authentication or other problem
-rw-r--r--plugins/mod_s2s/mod_s2s.lua7
1 files changed, 7 insertions, 0 deletions
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 6419ea67..0fd022cd 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -190,6 +190,13 @@ function module.add_host(module)
-- so the stream is ready for stanzas. RFC 6120 Section 4.3
mark_connected(session);
return true;
+ elseif require_encryption and not session.secure then
+ session.log("warn", "Encrypted server-to-server communication is required but was not offered by %s", session.to_host);
+ session:close({
+ condition = "policy-violation",
+ text = "Encrypted server-to-server communication is required but was not offered",
+ }, nil, "Could not establish encrypted connection to remote server");
+ return false;
elseif not session.dialback_verifying then
session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up");
session:close({