From eabca827652ebf2d9cc99d49a1eb3292a74fb5e5 Mon Sep 17 00:00:00 2001
From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Sun, 27 Apr 2014 00:28:42 +0200
Subject: [PATCH 1/2] Send stream trailer before closing s2s connection

When aborting an incoming s2s connection due to certificate verification
errors, send a stream trailer before closing the socket.
---
 src/ejabberd_s2s_in.erl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl
index 3eb0b71cc..aa55c2e63 100644
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@@ -294,8 +294,9 @@ wait_for_stream({xmlstreamstart, _Name, Attrs},
 		?INFO_MSG("Closing s2s connection: ~s <--> ~s (~s)",
 			  [StateData#state.server, RemoteServer, CertError]),
 		send_text(StateData,
-			  xml:element_to_binary(?SERRT_POLICY_VIOLATION(<<"en">>,
-									CertError))),
+			  <<(xml:element_to_binary(?SERRT_POLICY_VIOLATION(<<"en">>,
+									   CertError)))/binary,
+			    (?STREAM_TRAILER)/binary>>),
 		{atomic, Pid} =
 		    ejabberd_s2s:find_connection(jlib:make_jid(<<"">>,
 							       Server, <<"">>),

From 1aa4ed3f35d07b62a5ccc0568a55ec464eb7d478 Mon Sep 17 00:00:00 2001
From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Mon, 28 Apr 2014 00:17:05 +0200
Subject: [PATCH 2/2] Don't mess with s2s out when aborting s2s in

Don't try to look up and close outgoing connections to a given server
when aborting incoming connections from that server due to certificate
verification errors.  The ejabberd_s2s:find_connection/2 call actually
created one or more *new* connections if less than 'max_s2s_connections'
connections were found.  Then, no more than one of those possibly new
connections were stopped by the ejabberd_s2s_out:stop_connection/1 call.

It's not really necessary to bother with outgoing connections at all,
here.
---
 src/ejabberd_s2s_in.erl | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl
index aa55c2e63..a3e772dfc 100644
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@@ -297,13 +297,6 @@ wait_for_stream({xmlstreamstart, _Name, Attrs},
 			  <<(xml:element_to_binary(?SERRT_POLICY_VIOLATION(<<"en">>,
 									   CertError)))/binary,
 			    (?STREAM_TRAILER)/binary>>),
-		{atomic, Pid} =
-		    ejabberd_s2s:find_connection(jlib:make_jid(<<"">>,
-							       Server, <<"">>),
-						 jlib:make_jid(<<"">>,
-							       RemoteServer,
-							       <<"">>)),
-		ejabberd_s2s_out:stop_connection(Pid),
 		{stop, normal, StateData};
 	    {VerifyResult, RemoteServer, Msg} ->
 		{SASL, NewStateData} = case VerifyResult of