Chapril
/
xmpp.chapril.org-ejabberd
mirror of https://github.com/processone/ejabberd.git
24
1
Fork 0
Code Releases Activity

Generate SASL failures on unencrypted connections only for s2s

This commit is contained in:
Evgeniy Khramtsov 2018-06-23 20:31:01 +03:00
parent d809aafba0
commit c4c91cc956
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/xmpp_stream_out.erl
View File

@ -528,7 +528,7 @@ process_features(StreamFeatures,
process_stream_established(State1); process_stream_established(State1);
process_features(StreamFeatures, process_features(StreamFeatures,
#{stream_encrypted := Encrypted, #{stream_encrypted := Encrypted,
lang := Lang} = State) -> lang := Lang, xmlns := NS} = State) ->
State1 = try callback(handle_unauthenticated_features, StreamFeatures, State) State1 = try callback(handle_unauthenticated_features, StreamFeatures, State)
catch _:{?MODULE, undef} -> State catch _:{?MODULE, undef} -> State
end, end,
@ -541,7 +541,7 @@ process_features(StreamFeatures,
false when TLSRequired and not Encrypted -> false when TLSRequired and not Encrypted ->
Txt = <<"Use of STARTTLS required">>, Txt = <<"Use of STARTTLS required">>,
send_pkt(State1, xmpp:serr_policy_violation(Txt, Lang)); send_pkt(State1, xmpp:serr_policy_violation(Txt, Lang));
false when not Encrypted -> false when NS == ?NS_SERVER andalso not Encrypted ->
process_sasl_failure( process_sasl_failure(
<<"Peer doesn't support STARTTLS">>, State1); <<"Peer doesn't support STARTTLS">>, State1);
#starttls{required = true} when not TLSAvailable and not Encrypted -> #starttls{required = true} when not TLSAvailable and not Encrypted ->
@ -550,7 +550,7 @@ process_features(StreamFeatures,
#starttls{} when TLSAvailable and not Encrypted -> #starttls{} when TLSAvailable and not Encrypted ->
State2 = State1#{stream_state => wait_for_starttls_response}, State2 = State1#{stream_state => wait_for_starttls_response},
send_pkt(State2, #starttls{}); send_pkt(State2, #starttls{});
#starttls{} when not Encrypted -> #starttls{} when NS == ?NS_SERVER andalso not Encrypted ->
process_sasl_failure( process_sasl_failure(
<<"STARTTLS is disabled in local configuration">>, State1); <<"STARTTLS is disabled in local configuration">>, State1);
_ -> _ ->