+local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
+local secure_s2s_only = module:get_option("s2s_require_encryption");
+
+local global_ssl_ctx = prosody.global_ssl_ctx;
+
+module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
+ local origin = event.origin;
+ if origin.conn.starttls then
+ (origin.sends2s or origin.send)(st.stanza("proceed", { xmlns = xmlns_starttls }));
+ origin:reset_stream();
+ local host = origin.to_host or origin.host;
+ local ssl_ctx = host and hosts[host].ssl_ctx_in or global_ssl_ctx;
+ origin.conn:starttls(ssl_ctx);
+ origin.log("info", "TLS negotiation started for %s...", origin.type);
+ origin.secure = false;
+ else
+ origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
+ (origin.sends2s or origin.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
+ origin:close();
+ end
+ return true;
+end);