From c4c91cc956bef26f7d6ee8a1e5192fc0fa6ccffb Mon Sep 17 00:00:00 2001
From: Evgeniy Khramtsov <ekhramtsov@process-one.net>
Date: Sat, 23 Jun 2018 20:31:01 +0300
Subject: [PATCH] Generate SASL failures on unencrypted connections only for
 s2s

---
 src/xmpp_stream_out.erl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/xmpp_stream_out.erl b/src/xmpp_stream_out.erl
index bff50d30d..8552ec749 100644
--- a/src/xmpp_stream_out.erl
+++ b/src/xmpp_stream_out.erl
@@ -528,7 +528,7 @@ process_features(StreamFeatures,
     process_stream_established(State1);
 process_features(StreamFeatures,
 		 #{stream_encrypted := Encrypted,
-		   lang := Lang} = State) ->
+		   lang := Lang, xmlns := NS} = State) ->
     State1 = try callback(handle_unauthenticated_features, StreamFeatures, State)
 	     catch _:{?MODULE, undef} -> State
 	     end,
@@ -541,7 +541,7 @@ process_features(StreamFeatures,
 		false when TLSRequired and not Encrypted ->
 		    Txt = <<"Use of STARTTLS required">>,
 		    send_pkt(State1, xmpp:serr_policy_violation(Txt, Lang));
-		false when not Encrypted ->
+		false when NS == ?NS_SERVER andalso not Encrypted ->
 		    process_sasl_failure(
 		      <<"Peer doesn't support STARTTLS">>, State1);
 		#starttls{required = true} when not TLSAvailable and not Encrypted ->
@@ -550,7 +550,7 @@ process_features(StreamFeatures,
 		#starttls{} when TLSAvailable and not Encrypted ->
 		    State2 = State1#{stream_state => wait_for_starttls_response},
 		    send_pkt(State2, #starttls{});
-		#starttls{} when not Encrypted ->
+		#starttls{} when NS == ?NS_SERVER andalso not Encrypted ->
 		    process_sasl_failure(
 		      <<"STARTTLS is disabled in local configuration">>, State1);
 		_ ->
-- 
2.50.0