From e3c0a877bf2eaf1f5c3f150ad66de0af331e885b Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 1 Sep 2021 19:05:24 +0200
Subject: mod_tls: Attempt STARTTLS on outgoing unencrypted legacy s2s
 connections

As suggested by RFC 7590
---
 plugins/mod_tls.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'plugins/mod_tls.lua')

diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index 9cd2a672..a97f7027 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -165,6 +165,14 @@ module:hook_tag("http://etherx.jabber.org/streams", "features", function (sessio
 	end
 end, 500);
 
+module:hook("s2sout-authenticate-legacy", function(event)
+	local session = event.origin;
+	if s2s_require_encryption and can_do_tls(session) then
+		session.sends2s(starttls_initiate);
+		return true;
+	end
+end, 200);
+
 module:hook_tag(xmlns_starttls, "proceed", function (session, stanza) -- luacheck: ignore 212/stanza
 	if session.type == "s2sout_unauthed" and can_do_tls(session) then
 		module:log("debug", "Proceeding with TLS on s2sout...");
-- 
cgit v1.2.3