From 14c6c3dbf063a449a7020fd716ab4012059562b8 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 5 Oct 2021 19:56:36 +0200 Subject: net.server_epoll: Prevent starttls on direct TLS connections This is not a pretty way to signal this... but it is the current API interface:inittls() is a new code path which did not go past the point in interface:starttls() where it set starttls to false, leading mod_tls to offer starttls on direct TLS connections Thanks Martin for discovering. --- net/server_epoll.lua | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/server_epoll.lua b/net/server_epoll.lua index 89b6ffe9..e4fea5c1 100644 --- a/net/server_epoll.lua +++ b/net/server_epoll.lua @@ -634,6 +634,7 @@ function interface:inittls(tls_ctx, now) if self._tls then return end if tls_ctx then self.tls_ctx = tls_ctx; end self._tls = true; + self.starttls = false; self:debug("Starting TLS now"); self:updatenames(); -- Can't getpeer/sockname after wrap() local ok, conn, err = pcall(luasec.wrap, self.conn, self.tls_ctx); -- cgit v1.2.3