From 25bb94216d34a30f9e5c66d2ac9a9c1147bcd247 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Mon, 1 Apr 2013 14:45:59 +0100
Subject: mod_s2s: Close incoming s2s with stream error when secure and we
 don't trust their certificate

---
 plugins/mod_s2s/mod_s2s.lua | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'plugins/mod_s2s/mod_s2s.lua')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 6893d184..639f464b 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -632,7 +632,11 @@ function check_auth_policy(event)
 	
 	if must_secure and not session.cert_identity_status then
 		module:log("warn", "Forbidding insecure connection to/from %s", host);
-		session:close(false);
+		if session.direction == "incoming" then
+			session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by"..session.to_host });
+		else -- Close outgoing connections without warning
+			session:close(false);
+		end
 		return false;
 	end
 end
-- 
cgit v1.2.3