mod_s2s: Abort outgoing connections earlier when TLS requirement isn't satisfied

This ensures the closure reason is accurate and not reported as an authentication or other problem
author: Kim Alvefur <zash@zash.se> 2019-11-28 18:30:30 +0100
committer: Kim Alvefur <zash@zash.se> 2019-11-28 18:30:30 +0100
commit: ebfbcab1a91dce7877d48a606ca4d6b01366d625 (patch)
tree: 2c6af4b374d3d61988a6914586e97555fe0582c4
parent: 4560212e9be2eacfc22d8effa6b4e80d04bb5212 (diff)
download: prosody-ebfbcab1a91dce7877d48a606ca4d6b01366d625.tar.gz
prosody-ebfbcab1a91dce7877d48a606ca4d6b01366d625.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 6419ea67..0fd022cd 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -190,6 +190,13 @@ function module.add_host(module)
 			-- so the stream is ready for stanzas.  RFC 6120 Section 4.3
 			mark_connected(session);
 			return true;
+		elseif require_encryption and not session.secure then
+			session.log("warn", "Encrypted server-to-server communication is required but was not offered by %s", session.to_host);
+			session:close({
+					condition = "policy-violation",
+					text = "Encrypted server-to-server communication is required but was not offered",
+				}, nil, "Could not establish encrypted connection to remote server");
+			return false;
 		elseif not session.dialback_verifying then
 			session.log("warn", "No SASL EXTERNAL offer and Dialback doesn't seem to be enabled, giving up");
 			session:close({
author	Kim Alvefur <zash@zash.se>	2019-11-28 18:30:30 +0100
committer	Kim Alvefur <zash@zash.se>	2019-11-28 18:30:30 +0100
commit	ebfbcab1a91dce7877d48a606ca4d6b01366d625 (patch)
tree	2c6af4b374d3d61988a6914586e97555fe0582c4
parent	4560212e9be2eacfc22d8effa6b4e80d04bb5212 (diff)
download	prosody-ebfbcab1a91dce7877d48a606ca4d6b01366d625.tar.gz prosody-ebfbcab1a91dce7877d48a606ca4d6b01366d625.zip