From 85abab1dfd0e1f919db3130bfd08226184099ac8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= <jonas@wielicki.name>
Date: Fri, 17 Sep 2021 21:18:30 +0200
Subject: mod_tls: Do not offer TLS if the connection is considered secure

This may be necessary if the session.conn object is not exchanged by the
network backend when establishing TLS. In that case, the starttls method
will always exist and thus that is not a good indicator for offering
TLS.

However, the secure bit already tells us that TLS has been established
or is not to be established on the connection, so we use that instead.
---
 plugins/mod_tls.lua | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index afc1653a..76964082 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -80,6 +80,9 @@ end
 module:hook_global("config-reloaded", module.load);
 
 local function can_do_tls(session)
+	if session.secure then
+		return false;
+	end
 	if session.conn and not session.conn.starttls then
 		if not session.secure then
 			session.log("debug", "Underlying connection does not support STARTTLS");
-- 
cgit v1.2.3