From 976a86ee4645baf3e4ef8e0f8e6066fc62e8f379 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 28 Nov 2019 17:32:15 +0100
Subject: mod_s2s: Send stream errors for cert problems on outgoing connections

Rationale in comment.
---
 plugins/mod_s2s/mod_s2s.lua | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'plugins')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 4d79a825..6419ea67 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -758,12 +758,13 @@ function check_auth_policy(event)
 	if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
 		module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)");
 		local reason = friendly_cert_error(session);
-		if session.direction == "incoming" then
-			session:close({ condition = "not-authorized", text = "Your server's certificate "..reason },
-				nil, "Remote server's certificate "..reason);
-		else -- Close outgoing connections without warning
-			session:close(false, nil, "Remote server's certificate "..reason);
-		end
+		-- XEP-0178 recommends closing outgoing connections without warning
+		-- but does not give a rationale for this.
+		-- In practice most cases are configuration mistakes or forgotten
+		-- certificate renewals. We think it's better to let the other party
+		-- know about the problem so that they can fix it.
+		session:close({ condition = "not-authorized", text = "Your server's certificate "..reason },
+			nil, "Remote server's certificate "..reason);
 		return false;
 	end
 end
-- 
cgit v1.2.3