Merge 0.12->trunk

author: Matthew Wild <mwild1@gmail.com> 2022-04-25 15:09:53 +0100
committer: Matthew Wild <mwild1@gmail.com> 2022-04-25 15:09:53 +0100
commit: fc5a8d7f4a909e60fc89a495a57950c1f4eb6166 (patch)
tree: 4f6ffd64999dcae04f02cda682a42846034dfa53 /plugins/mod_s2s.lua
parent: f40337890ee71a17a80f86af3e2789f3a508b94d (diff)
parent: 0eef6dde1e3193ec86f949acc114e91c36c5f365 (diff)
download: prosody-fc5a8d7f4a909e60fc89a495a57950c1f4eb6166.tar.gz
prosody-fc5a8d7f4a909e60fc89a495a57950c1f4eb6166.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index 5f60e01c..2f3815c4 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -343,6 +343,15 @@ function make_authenticated(event)
 			}, nil, "Could not establish encrypted connection to remote server");
 		end
 	end
+
+	if session.type == "s2sout_unauthed" and not session.authenticated_remote and secure_auth and not insecure_domains[host] then
+		session:close({
+			condition = "policy-violation";
+			text = "Failed to verify certificate (internal error)";
+		});
+		return;
+	end
+
 	if hosts[host] then
 		session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
 	end
@@ -525,6 +534,8 @@ function stream_callbacks._streamopened(session, attr)
 		if session.secure and not session.cert_chain_status then
 			if check_cert_status(session) == false then
 				return;
+			else
+				session.authenticated_remote = true;
 			end
 		end
author	Matthew Wild <mwild1@gmail.com>	2022-04-25 15:09:53 +0100
committer	Matthew Wild <mwild1@gmail.com>	2022-04-25 15:09:53 +0100
commit	fc5a8d7f4a909e60fc89a495a57950c1f4eb6166 (patch)
tree	4f6ffd64999dcae04f02cda682a42846034dfa53 /plugins/mod_s2s.lua
parent	f40337890ee71a17a80f86af3e2789f3a508b94d (diff)
parent	0eef6dde1e3193ec86f949acc114e91c36c5f365 (diff)
download	prosody-fc5a8d7f4a909e60fc89a495a57950c1f4eb6166.tar.gz prosody-fc5a8d7f4a909e60fc89a495a57950c1f4eb6166.zip