aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2019-11-28 17:32:15 +0100
committerKim Alvefur <zash@zash.se>2019-11-28 17:32:15 +0100
commit4560212e9be2eacfc22d8effa6b4e80d04bb5212 (patch)
tree9935c058bde385985c5641a4196b1e7bdfd25346
parent07e3b931813528b905c85fbffa97c4f86cea54f3 (diff)
downloadprosody-4560212e9be2eacfc22d8effa6b4e80d04bb5212.tar.gz
prosody-4560212e9be2eacfc22d8effa6b4e80d04bb5212.zip
mod_s2s: Send stream errors for cert problems on outgoing connections
Rationale in comment.
-rw-r--r--plugins/mod_s2s/mod_s2s.lua13
1 files changed, 7 insertions, 6 deletions
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 4d79a825..6419ea67 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -758,12 +758,13 @@ function check_auth_policy(event)
if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)");
local reason = friendly_cert_error(session);
- if session.direction == "incoming" then
- session:close({ condition = "not-authorized", text = "Your server's certificate "..reason },
- nil, "Remote server's certificate "..reason);
- else -- Close outgoing connections without warning
- session:close(false, nil, "Remote server's certificate "..reason);
- end
+ -- XEP-0178 recommends closing outgoing connections without warning
+ -- but does not give a rationale for this.
+ -- In practice most cases are configuration mistakes or forgotten
+ -- certificate renewals. We think it's better to let the other party
+ -- know about the problem so that they can fix it.
+ session:close({ condition = "not-authorized", text = "Your server's certificate "..reason },
+ nil, "Remote server's certificate "..reason);
return false;
end
end