Check TLS state before requesting SASL EXTERNAL

Make sure a remote server can't circumvent "s2s_use_starttls: required" by offering SASL EXTERNAL authentication over a non-TLS connection.
2024-11-22 16:20:52 +01:00 · 2014-04-24 11:04:10 +02:00 · 2014-04-24 11:04:10 +02:00 · d805d198ac
commit d805d198ac
parent 3a3f8240c1
1 changed files with 3 additions and 1 deletions
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@ -578,7 +578,9 @@ wait_for_features({xmlstreamelement, El}, StateData) ->
 		 {next_state, stream_established,
 		  StateData#state{queue = queue:new()}};
 	     SASLEXT and StateData#state.try_auth and
-	       (StateData#state.new /= false) ->
+	       (StateData#state.new /= false) and
+		 (StateData#state.tls_enabled or
+		   not StateData#state.tls_required) ->
 		 send_element(StateData,
 			      #xmlel{name = <<"auth">>,
 				     attrs =