From 5146db2da02de75a12fbf626f318e16b00683aae Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 13 Nov 2023 09:44:40 +0100
Subject: util.prosodyctl.check: Update conditions for s2s cert checks

The 'anonymous_login' setting is deprecated and prosodyctl check config
will tell you to change it to 'authentication = "internal_hashed"', so
we shouldn't need to care about here anymore.
---
 util/prosodyctl/check.lua | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'util/prosodyctl/check.lua')

diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua
index 12c5b5c7..7ba0ccd0 100644
--- a/util/prosodyctl/check.lua
+++ b/util/prosodyctl/check.lua
@@ -1177,9 +1177,9 @@ local function check(arg)
 							print("    Not valid for client connections to "..host..".")
 							cert_ok = false
 						end
-						if modules:contains("s2s") and (not (api(host):get_option_boolean("anonymous_login", false)
-							or api(host):get_option_string("authentication", "internal_hashed") == "anonymous"))
-							and not x509_verify_identity(host, "_xmpp-server", cert) then
+						local anon = api(host):get_option_string("authentication", "internal_hashed") == "anonymous";
+						local anon_s2s = api(host):get_option_boolean("allow_anonymous_s2s", false);
+						if modules:contains("s2s") and (anon_s2s or not anon) and not x509_verify_identity(host, "_xmpp-server", cert) then
 							print("    Not valid for server-to-server connections to "..host..".")
 							cert_ok = false
 						end
-- 
cgit v1.2.3