Correct domain_certfile tlsopts modifications for s2s connections (EJAB-1086)

* In ejabberd_s2s_out:wait_for_feature_request/2, the domain to use for looking up domain_certfile options is #state.myname and not #state.server * If s2s_certfile is not specified, connect should still be part of the tls options used by ejabberd_s2s_out * Add #state.server to ejabberd_s2s_in processes and store the to attribute in :wait_for_stream/2. Then use that server in :wait_for_feature_request/2 to change the tls options like in ejabberd_s2s_out. Fixes EJAB-1086.
2024-06-16 22:05:29 +02:00 · 2010-11-06 20:09:33 +01:00 · 2010-11-06 20:09:33 +01:00 · e34eebb5ad
commit e34eebb5ad
parent 776930fa06
2 changed files with 20 additions and 7 deletions
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@ -75,6 +75,7 @@
 		tls = false,
 		tls_enabled = false,
 		tls_options = [],
+		server,
 		authenticated = false,
 		auth_domain,
 	        connections = ?DICT:new(),
@ -224,7 +225,7 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 			    s2s_stream_features,
 			    Server,
 			    [], [Server])}),
-	    {next_state, wait_for_feature_request, StateData};
+	    {next_state, wait_for_feature_request, StateData#state{server = Server}};
 	{"jabber:server", _, Server, true} when
 	      StateData#state.authenticated ->
 	    send_text(StateData, ?STREAM_HEADER(" version='1.0'")),
@ -266,7 +267,17 @@ wait_for_feature_request({xmlstreamelement, El}, StateData) ->
 				   SockMod == gen_tcp ->
 	    ?DEBUG("starttls", []),
 	    Socket = StateData#state.socket,
-	    TLSOpts = StateData#state.tls_options,
+	    TLSOpts = case ejabberd_config:get_local_option(
+			     {domain_certfile,
+			      StateData#state.server}) of
+			  undefined ->
+			      StateData#state.tls_options;
+			  CertFile ->
+			      [{certfile, CertFile} |
+			       lists:keydelete(
+				 certfile, 1,
+				 StateData#state.tls_options)]
+		      end,
 	    TLSSocket = (StateData#state.sockmod):starttls(
 			  Socket, TLSOpts,
 			  xml:element_to_binary(
@ -274,7 +285,8 @@ wait_for_feature_request({xmlstreamelement, El}, StateData) ->
 	    {next_state, wait_for_stream,
 	     StateData#state{socket = TLSSocket,
 			     streamid = new_id(),
-			     tls_enabled = true
+			     tls_enabled = true,
+			     tls_options = TLSOpts
 			    }};
 	{?NS_SASL, "auth"} when TLSEnabled ->
 	    Mech = xml:get_attr_s("mechanism", Attrs),
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@ -66,7 +66,7 @@
 		tls = false,
 		tls_required = false,
 		tls_enabled = false,
-		tls_options = [],
+		tls_options = [connect],
 		authenticated = false,
 		db_enabled = true,
 		try_auth = true,
@ -163,7 +163,7 @@ init([From, Server, Type]) ->
    UseV10 = TLS,
    TLSOpts = case ejabberd_config:get_local_option(s2s_certfile) of
 		  undefined ->
-		      [];
+		      [connect];
 		  CertFile ->
 		      [{certfile, CertFile}, connect]
 	      end,
@ -621,7 +621,7 @@ wait_for_starttls_proceed({xmlstreamelement, El}, StateData) ->
 		    Socket = StateData#state.socket,
 		    TLSOpts = case ejabberd_config:get_local_option(
 				     {domain_certfile,
-				      StateData#state.server}) of
+				      StateData#state.myname}) of
 				  undefined ->
 				      StateData#state.tls_options;
 				  CertFile ->
@ -633,7 +633,8 @@ wait_for_starttls_proceed({xmlstreamelement, El}, StateData) ->
 		    TLSSocket = ejabberd_socket:starttls(Socket, TLSOpts),
 		    NewStateData = StateData#state{socket = TLSSocket,
 						   streamid = new_id(),
-						   tls_enabled = true
+						   tls_enabled = true,
+						   tls_options = TLSOpts
 						  },
 		    send_text(NewStateData,
 			      io_lib:format(?STREAM_HEADER,