From d805d198acae4284a0f8512305c9180c2ac9dd08 Mon Sep 17 00:00:00 2001
From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Thu, 24 Apr 2014 11:04:10 +0200
Subject: [PATCH] Check TLS state before requesting SASL EXTERNAL

Make sure a remote server can't circumvent "s2s_use_starttls: required"
by offering SASL EXTERNAL authentication over a non-TLS connection.
---
 src/ejabberd_s2s_out.erl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index a0a83631d..e404207cd 100644
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -578,7 +578,9 @@ wait_for_features({xmlstreamelement, El}, StateData) ->
 		 {next_state, stream_established,
 		  StateData#state{queue = queue:new()}};
 	     SASLEXT and StateData#state.try_auth and
-	       (StateData#state.new /= false) ->
+	       (StateData#state.new /= false) and
+		 (StateData#state.tls_enabled or
+		   not StateData#state.tls_required) ->
 		 send_element(StateData,
 			      #xmlel{name = <<"auth">>,
 				     attrs =