aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2021-12-25 16:23:40 +0100
committerKim Alvefur <zash@zash.se>2021-12-25 16:23:40 +0100
commit73d1bb12184cd5bc91c5996ecc574149d9637d73 (patch)
tree81534ac655eabbfb6d3ede66ed7a31762da7d2fd
parenta02e872f8651ea4729697bd7ccc88f7f952c3f04 (diff)
downloadprosody-73d1bb12184cd5bc91c5996ecc574149d9637d73.tar.gz
prosody-73d1bb12184cd5bc91c5996ecc574149d9637d73.zip
various: Require encryption by default for real
These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.
-rw-r--r--CHANGES1
-rw-r--r--plugins/mod_register_ibr.lua2
-rw-r--r--plugins/mod_s2s.lua2
-rw-r--r--plugins/mod_s2s_bidi.lua2
-rw-r--r--plugins/mod_saslauth.lua2
-rw-r--r--plugins/mod_tls.lua4
6 files changed, 7 insertions, 6 deletions
diff --git a/CHANGES b/CHANGES
index 9bd2182e..83efa5c2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -33,6 +33,7 @@ TRUNK
- Pluggable authorization providers (mod_authz_)
- Easy use of Mozilla TLS recommendations presets
- Unencrypted HTTP port (5280) restricted to loopback by default
+- require_encryption options default to 'true' if unspecified
### HTTP
diff --git a/plugins/mod_register_ibr.lua b/plugins/mod_register_ibr.lua
index 83d284c8..8042de7e 100644
--- a/plugins/mod_register_ibr.lua
+++ b/plugins/mod_register_ibr.lua
@@ -18,7 +18,7 @@ local util_error = require "util.error";
local additional_fields = module:get_option("additional_registration_fields", {});
local require_encryption = module:get_option_boolean("c2s_require_encryption",
- module:get_option_boolean("require_encryption", false));
+ module:get_option_boolean("require_encryption", true));
pcall(function ()
module:depends("register_limits");
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 836cf347..655cb599 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -40,7 +40,7 @@ local opt_keepalives = module:get_option_boolean("s2s_tcp_keepalives", module:ge
local secure_auth = module:get_option_boolean("s2s_secure_auth", false); -- One day...
local secure_domains, insecure_domains =
module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
-local require_encryption = module:get_option_boolean("s2s_require_encryption", false);
+local require_encryption = module:get_option_boolean("s2s_require_encryption", true);
local stanza_size_limit = module:get_option_number("s2s_stanza_size_limit", 1024*512);
local measure_connections_inbound = module:metric(
diff --git a/plugins/mod_s2s_bidi.lua b/plugins/mod_s2s_bidi.lua
index 28e047de..addcd6e2 100644
--- a/plugins/mod_s2s_bidi.lua
+++ b/plugins/mod_s2s_bidi.lua
@@ -10,7 +10,7 @@ local st = require "util.stanza";
local xmlns_bidi_feature = "urn:xmpp:features:bidi"
local xmlns_bidi = "urn:xmpp:bidi";
-local require_encryption = module:get_option_boolean("s2s_require_encryption", false);
+local require_encryption = module:get_option_boolean("s2s_require_encryption", true);
module:hook("s2s-stream-features", function(event)
local origin, features = event.origin, event.features;
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 212b977a..30d7acfa 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -17,7 +17,7 @@ local errors = require "util.error";
local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
-local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
+local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index 9b80486a..afc1653a 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -10,8 +10,8 @@ local create_context = require "core.certmanager".create_context;
local rawgetopt = require"core.configmanager".rawget;
local st = require "util.stanza";
-local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption"));
-local s2s_require_encryption = module:get_option("s2s_require_encryption");
+local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption", true));
+local s2s_require_encryption = module:get_option("s2s_require_encryption", true);
local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
local s2s_secure_auth = module:get_option("s2s_secure_auth");