]> granicus.if.org Git - ejabberd/commitdiff
projects / ejabberd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3a3f824)
Check TLS state before requesting SASL EXTERNAL
authorHolger Weiss <holger@zedat.fu-berlin.de>
Thu, 24 Apr 2014 09:04:10 +0000 (11:04 +0200)
committerHolger Weiss <holger@zedat.fu-berlin.de>
Thu, 24 Apr 2014 09:04:10 +0000 (11:04 +0200)
Make sure a remote server can't circumvent "s2s_use_starttls: required"
by offering SASL EXTERNAL authentication over a non-TLS connection.

src/ejabberd_s2s_out.erl patch | blob | history

diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index a0a83631d1674bdf5531977cacddd73cfb562627..e404207cd6c483fadf0fdb8598c07f361af11361 100644 (file)
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -578,7 +578,9 @@ wait_for_features({xmlstreamelement, El}, StateData) ->
                 {next_state, stream_established,
                  StateData#state{queue = queue:new()}};
             SASLEXT and StateData#state.try_auth and
-              (StateData#state.new /= false) ->
+              (StateData#state.new /= false) and
+                (StateData#state.tls_enabled or
+                  not StateData#state.tls_required) ->
                 send_element(StateData,
                              #xmlel{name = <<"auth">>,
                                     attrs =
Unnamed repository; edit this file 'description' to name the repository.