From 73d1bb12184cd5bc91c5996ecc574149d9637d73 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 25 Dec 2021 16:23:40 +0100 Subject: various: Require encryption by default for real These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want. --- plugins/mod_register_ibr.lua | 2 +- plugins/mod_s2s.lua | 2 +- plugins/mod_s2s_bidi.lua | 2 +- plugins/mod_saslauth.lua | 2 +- plugins/mod_tls.lua | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_register_ibr.lua b/plugins/mod_register_ibr.lua index 83d284c8..8042de7e 100644 --- a/plugins/mod_register_ibr.lua +++ b/plugins/mod_register_ibr.lua @@ -18,7 +18,7 @@ local util_error = require "util.error"; local additional_fields = module:get_option("additional_registration_fields", {}); local require_encryption = module:get_option_boolean("c2s_require_encryption", - module:get_option_boolean("require_encryption", false)); + module:get_option_boolean("require_encryption", true)); pcall(function () module:depends("register_limits"); diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index 836cf347..655cb599 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -40,7 +40,7 @@ local opt_keepalives = module:get_option_boolean("s2s_tcp_keepalives", module:ge local secure_auth = module:get_option_boolean("s2s_secure_auth", false); -- One day... local secure_domains, insecure_domains = module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; -local require_encryption = module:get_option_boolean("s2s_require_encryption", false); +local require_encryption = module:get_option_boolean("s2s_require_encryption", true); local stanza_size_limit = module:get_option_number("s2s_stanza_size_limit", 1024*512); local measure_connections_inbound = module:metric( diff --git a/plugins/mod_s2s_bidi.lua b/plugins/mod_s2s_bidi.lua index 28e047de..addcd6e2 100644 --- a/plugins/mod_s2s_bidi.lua +++ b/plugins/mod_s2s_bidi.lua @@ -10,7 +10,7 @@ local st = require "util.stanza"; local xmlns_bidi_feature = "urn:xmpp:features:bidi" local xmlns_bidi = "urn:xmpp:bidi"; -local require_encryption = module:get_option_boolean("s2s_require_encryption", false); +local require_encryption = module:get_option_boolean("s2s_require_encryption", true); module:hook("s2s-stream-features", function(event) local origin, features = event.origin, event.features; diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 212b977a..30d7acfa 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -17,7 +17,7 @@ local errors = require "util.error"; local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; -local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); +local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index 9b80486a..afc1653a 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -10,8 +10,8 @@ local create_context = require "core.certmanager".create_context; local rawgetopt = require"core.configmanager".rawget; local st = require "util.stanza"; -local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption")); -local s2s_require_encryption = module:get_option("s2s_require_encryption"); +local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption", true)); +local s2s_require_encryption = module:get_option("s2s_require_encryption", true); local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false; local s2s_secure_auth = module:get_option("s2s_secure_auth"); -- cgit v1.2.3