From 2e726abc77cdfb09f01eb31358ad56d587a9c88e Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Fri, 12 Feb 2010 02:39:50 +0500 Subject: mod_tls: Respond with proper error when TLS cannot be negotiated. --- plugins/mod_tls.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'plugins/mod_tls.lua') diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index 8a450803..fb1433da 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -26,8 +26,9 @@ module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, session.log("info", "TLS negotiation started..."); session.secure = false; else - -- FIXME: What reply? session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); + (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); + session:close(); end end); @@ -43,8 +44,9 @@ module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, session.log("info", "TLS negotiation started for incoming s2s..."); session.secure = false; else - -- FIXME: What reply? session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); + (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); + session:close(); end end); -- cgit v1.2.3 From db783f4a21352a560c162932d18d20cc22bb86a9 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Fri, 12 Feb 2010 03:14:53 +0500 Subject: mod_tls: Fixed an extra :up() in s2s stream feature generation. --- plugins/mod_tls.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/mod_tls.lua') diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index fb1433da..49ee18c9 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -68,7 +68,7 @@ module:hook("s2s-stream-features", function (data) local session, features = data.session, data.features; if session.to_host and session.conn.starttls then - features:tag("starttls", starttls_attr):up(); + features:tag("starttls", starttls_attr); if secure_s2s_only then features:tag("required"):up():up(); else -- cgit v1.2.3 From 4bfd2f37a984ea4f40b5fb94e1333b4fe250e3fd Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Fri, 12 Feb 2010 21:33:22 +0000 Subject: mod_tls: Don't offer TLS on hosts that don't have any certs --- plugins/mod_tls.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'plugins/mod_tls.lua') diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index 49ee18c9..54b48161 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -14,9 +14,11 @@ local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); local secure_s2s_only = module:get_option("s2s_require_encryption"); +local host = hosts[module.host]; + module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, function (session, stanza) - if session.conn.starttls then + if session.conn.starttls and host.ssl_ctx_in then session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); session:reset_stream(); if session.host and hosts[session.host].ssl_ctx_in then @@ -34,7 +36,7 @@ module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, function (session, stanza) - if session.conn.starttls then + if session.conn.starttls and host.ssl_ctx_in then session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); session:reset_stream(); if session.to_host and hosts[session.to_host].ssl_ctx_in then -- cgit v1.2.3