diff options
author | Kim Alvefur <zash@zash.se> | 2019-11-28 18:30:30 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2019-11-28 18:30:30 +0100 |
commit | 61228e919ce13247321c04b6b32020d2652d58ba (patch) | |
tree | 2c6af4b374d3d61988a6914586e97555fe0582c4 | |
parent | 976a86ee4645baf3e4ef8e0f8e6066fc62e8f379 (diff) | |
download | prosody-61228e919ce13247321c04b6b32020d2652d58ba.tar.gz prosody-61228e919ce13247321c04b6b32020d2652d58ba.zip |
mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied
This ensures the closure reason is accurate and not reported as an
authentication or other problem
-rw-r--r-- | plugins/mod_s2s/mod_s2s.lua | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 6419ea67..0fd022cd 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -190,6 +190,13 @@ function module.add_host(module) -- so the stream is ready for stanzas. RFC 6120 Section 4.3 mark_connected(session); return true; + elseif require_encryption and not session.secure then + session.log("warn", "Encrypted server-to-server communication is required but was not offered by %s", session.to_host); + session:close({ + condition = "policy-violation", + text = "Encrypted server-to-server communication is required but was not offered", + }, nil, "Could not establish encrypted connection to remote server"); + return false; elseif not session.dialback_verifying then session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up"); session:close({ |