Correct domain_certfile tlsopts modifications for s2s connections (EJAB-1086)

* In ejabberd_s2s_out:wait_for_feature_request/2, the domain to use for
  looking up domain_certfile options is #state.myname and not
  #state.server

* If s2s_certfile is not specified, connect should still be part of the
  tls options used by ejabberd_s2s_out

* Add #state.server to ejabberd_s2s_in processes and store the to
  attribute in :wait_for_stream/2. Then use that server in
  :wait_for_feature_request/2 to change the tls options like in
  ejabberd_s2s_out.

Fixes EJAB-1086.

diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl
index 1bd1b6898ff80ea2a27b7bf61ccd153a881d6551..c29249c973b1fcf5d1d53431a9dd2ef0f36186ce 100644 (file)
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@@ -75,6 +75,7 @@
                tls = false,
                tls_enabled = false,
                tls_options = [],
+               server,
                authenticated = false,
                auth_domain,
                connections = ?DICT:new(),
@@ -224,7 +225,7 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
                            s2s_stream_features,
                            Server,
                            [], [Server])}),
-           {next_state, wait_for_feature_request, StateData};
+           {next_state, wait_for_feature_request, StateData#state{server = Server}};
        {"jabber:server", _, Server, true} when
              StateData#state.authenticated ->
            send_text(StateData, ?STREAM_HEADER(" version='1.0'")),
@@ -266,7 +267,17 @@ wait_for_feature_request({xmlstreamelement, El}, StateData) ->
                                   SockMod == gen_tcp ->
            ?DEBUG("starttls", []),
            Socket = StateData#state.socket,
-           TLSOpts = StateData#state.tls_options,
+           TLSOpts = case ejabberd_config:get_local_option(
+                            {domain_certfile,
+                             StateData#state.server}) of
+                         undefined ->
+                             StateData#state.tls_options;
+                         CertFile ->
+                             [{certfile, CertFile} |
+                              lists:keydelete(
+                                certfile, 1,
+                                StateData#state.tls_options)]
+                     end,
            TLSSocket = (StateData#state.sockmod):starttls(
                          Socket, TLSOpts,
                          xml:element_to_binary(
@@ -274,7 +285,8 @@ wait_for_feature_request({xmlstreamelement, El}, StateData) ->
            {next_state, wait_for_stream,
             StateData#state{socket = TLSSocket,
                             streamid = new_id(),
-                            tls_enabled = true
+                            tls_enabled = true,
+                            tls_options = TLSOpts
                            }};
        {?NS_SASL, "auth"} when TLSEnabled ->
            Mech = xml:get_attr_s("mechanism", Attrs),

diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index 907bdd65a9dfa2067e704607e0db477205acca66..d33fc97186a254de1a9f57d073b3bf38831ab31a 100644 (file)
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -66,7 +66,7 @@
                tls = false,
                tls_required = false,
                tls_enabled = false,
-               tls_options = [],
+               tls_options = [connect],
                authenticated = false,
                db_enabled = true,
                try_auth = true,
@@ -163,7 +163,7 @@ init([From, Server, Type]) ->
     UseV10 = TLS,
     TLSOpts = case ejabberd_config:get_local_option(s2s_certfile) of
                  undefined ->
-                     [];
+                     [connect];
                  CertFile ->
                      [{certfile, CertFile}, connect]
              end,
@@ -621,7 +621,7 @@ wait_for_starttls_proceed({xmlstreamelement, El}, StateData) ->
                    Socket = StateData#state.socket,
                    TLSOpts = case ejabberd_config:get_local_option(
                                     {domain_certfile,
-                                     StateData#state.server}) of
+                                     StateData#state.myname}) of
                                  undefined ->
                                      StateData#state.tls_options;
                                  CertFile ->
@@ -633,7 +633,8 @@ wait_for_starttls_proceed({xmlstreamelement, El}, StateData) ->
                    TLSSocket = ejabberd_socket:starttls(Socket, TLSOpts),
                    NewStateData = StateData#state{socket = TLSSocket,
                                                   streamid = new_id(),
-                                                  tls_enabled = true
+                                                  tls_enabled = true,
+                                                  tls_options = TLSOpts
                                                  },
                    send_text(NewStateData,
                              io_lib:format(?STREAM_HEADER,