From a8c6eec28c552af33628bd04c8a24d166ff5dbcd Mon Sep 17 00:00:00 2001 From: Evgeny Khramtsov Date: Fri, 6 Sep 2019 22:20:07 +0300 Subject: [PATCH] Fix certificate selection for s2s The bug was introduced in c2cbb4d87955ff4917581fedc93cbcd4edd1ce8a Fixes #3015 --- src/ejabberd_s2s.erl | 16 ++++++++-------- src/ejabberd_s2s_in.erl | 4 ++-- src/ejabberd_s2s_out.erl | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/ejabberd_s2s.erl b/src/ejabberd_s2s.erl index 2796a43fd..231622551 100644 --- a/src/ejabberd_s2s.erl +++ b/src/ejabberd_s2s.erl @@ -42,7 +42,7 @@ list_temporarily_blocked_hosts/0, external_host_overloaded/1, is_temporarly_blocked/1, get_commands_spec/0, zlib_enabled/1, get_idle_timeout/1, - tls_required/1, tls_enabled/1, tls_options/2, + tls_required/1, tls_enabled/1, tls_options/3, host_up/1, host_down/1, queue_type/1]). %% gen_server callbacks @@ -177,34 +177,34 @@ try_register({From, To} = FromTo) -> dirty_get_connections() -> mnesia:dirty_all_keys(s2s). --spec tls_options(binary(), [proplists:property()]) -> [proplists:property()]. -tls_options(LServer, DefaultOpts) -> +-spec tls_options(binary(), binary(), [proplists:property()]) -> [proplists:property()]. +tls_options(LServer, ServerHost, DefaultOpts) -> TLSOpts1 = case ejabberd_pkix:get_certfile(LServer) of error -> DefaultOpts; {ok, CertFile} -> lists:keystore(certfile, 1, DefaultOpts, {certfile, CertFile}) end, - TLSOpts2 = case ejabberd_option:s2s_ciphers(LServer) of + TLSOpts2 = case ejabberd_option:s2s_ciphers(ServerHost) of undefined -> TLSOpts1; Ciphers -> lists:keystore(ciphers, 1, TLSOpts1, {ciphers, Ciphers}) end, - TLSOpts3 = case ejabberd_option:s2s_protocol_options(LServer) of + TLSOpts3 = case ejabberd_option:s2s_protocol_options(ServerHost) of undefined -> TLSOpts2; ProtoOpts -> lists:keystore(protocol_options, 1, TLSOpts2, {protocol_options, ProtoOpts}) end, - TLSOpts4 = case ejabberd_option:s2s_dhfile(LServer) of + TLSOpts4 = case ejabberd_option:s2s_dhfile(ServerHost) of undefined -> TLSOpts3; DHFile -> lists:keystore(dhfile, 1, TLSOpts3, {dhfile, DHFile}) end, TLSOpts5 = case lists:keymember(cafile, 1, TLSOpts4) of true -> TLSOpts4; - false -> [{cafile, get_cafile(LServer)}|TLSOpts4] + false -> [{cafile, get_cafile(ServerHost)}|TLSOpts4] end, - case ejabberd_option:s2s_tls_compression(LServer) of + case ejabberd_option:s2s_tls_compression(ServerHost) of undefined -> TLSOpts5; false -> [compression_none | TLSOpts5]; true -> lists:delete(compression_none, TLSOpts5) diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl index 4b6f70ea5..7e3bd6a89 100644 --- a/src/ejabberd_s2s_in.erl +++ b/src/ejabberd_s2s_in.erl @@ -135,8 +135,8 @@ process_closed(#{server := LServer} = State, Reason) -> %%%=================================================================== %%% xmpp_stream_in callbacks %%%=================================================================== -tls_options(#{tls_options := TLSOpts, server_host := ServerHost}) -> - ejabberd_s2s:tls_options(ServerHost, TLSOpts). +tls_options(#{tls_options := TLSOpts, lserver := LServer, server_host := ServerHost}) -> + ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts). tls_required(#{server_host := ServerHost}) -> ejabberd_s2s:tls_required(ServerHost). diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl index 40ece0f7b..7bbc5eeb3 100644 --- a/src/ejabberd_s2s_out.erl +++ b/src/ejabberd_s2s_out.erl @@ -175,8 +175,8 @@ process_downgraded(State, _StreamStart) -> %%%=================================================================== %%% xmpp_stream_out callbacks %%%=================================================================== -tls_options(#{server_host := ServerHost}) -> - ejabberd_s2s:tls_options(ServerHost, []). +tls_options(#{server := LServer, server_host := ServerHost}) -> + ejabberd_s2s:tls_options(LServer, ServerHost, []). tls_required(#{server_host := ServerHost}) -> ejabberd_s2s:tls_required(ServerHost).