Generate SASL failures on unencrypted connections only for s2s

diff --git a/src/xmpp_stream_out.erl b/src/xmpp_stream_out.erl
index bff50d30d05c702fa1d05aad2a4477fa9b5b1b43..8552ec74999fadcd4b36d1c6c898fe660a5a234b 100644 (file)
--- a/src/xmpp_stream_out.erl
+++ b/src/xmpp_stream_out.erl
@@ -528,7 +528,7 @@ process_features(StreamFeatures,
     process_stream_established(State1);
 process_features(StreamFeatures,
                 #{stream_encrypted := Encrypted,
-                  lang := Lang} = State) ->
+                  lang := Lang, xmlns := NS} = State) ->
     State1 = try callback(handle_unauthenticated_features, StreamFeatures, State)
             catch _:{?MODULE, undef} -> State
             end,
@@ -541,7 +541,7 @@ process_features(StreamFeatures,
                false when TLSRequired and not Encrypted ->
                    Txt = <<"Use of STARTTLS required">>,
                    send_pkt(State1, xmpp:serr_policy_violation(Txt, Lang));
-               false when not Encrypted ->
+               false when NS == ?NS_SERVER andalso not Encrypted ->
                    process_sasl_failure(
                      <<"Peer doesn't support STARTTLS">>, State1);
                #starttls{required = true} when not TLSAvailable and not Encrypted ->
@@ -550,7 +550,7 @@ process_features(StreamFeatures,
                #starttls{} when TLSAvailable and not Encrypted ->
                    State2 = State1#{stream_state => wait_for_starttls_response},
                    send_pkt(State2, #starttls{});
-               #starttls{} when not Encrypted ->
+               #starttls{} when NS == ?NS_SERVER andalso not Encrypted ->
                    process_sasl_failure(
                      <<"STARTTLS is disabled in local configuration">>, State1);
                _ ->