projects / prosody.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 357d42c)
mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s
authorMatthew Wild <mwild1@gmail.com>
Wed, 24 Mar 2010 20:00:22 +0000 (20:00 +0000)
committerMatthew Wild <mwild1@gmail.com>
Wed, 24 Mar 2010 20:00:22 +0000 (20:00 +0000)
plugins/mod_tls.lua patch | blob | history

diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index 22819cd18c1d1601ddf03add0ab6dbc2f6388ec4..f68552fac336178c8632d001efd26318c12cc7a0 100644 (file)
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -16,10 +16,13 @@ local secure_s2s_only = module:get_option("s2s_require_encryption");
 
 local host = hosts[module.host];
 
+local starttls_attr = { xmlns = xmlns_starttls };
+
+--- Client-to-server TLS handling
 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
                function (session, stanza)
                        if session.conn.starttls and host.ssl_ctx_in then
-                               session.send(st.stanza("proceed", { xmlns = xmlns_starttls }));
+                               session.send(st.stanza("proceed", starttls_attr));
                                session:reset_stream();
                                if session.host and hosts[session.host].ssl_ctx_in then
                                        session.conn.set_sslctx(hosts[session.host].ssl_ctx_in);
@@ -29,15 +32,34 @@ module:add_handler("c2s_unauthed", "starttls", xmlns_starttls,
                                session.secure = false;
                        else
                                session.log("warn", "Attempt to start TLS, but TLS is not available on this connection");
-                               (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
+                               (session.sends2s or session.send)(st.stanza("failure", starttls_attr));
                                session:close();
                        end
                end);
-               
+
+module:add_event_hook("stream-features", 
+               function (session, features)
+                       if session.conn.starttls then
+                               features:tag("starttls", starttls_attr);
+                               if secure_auth_only then
+                                       features:tag("required"):up():up();
+                               else
+                                       features:up();
+                               end
+                       end
+               end);
+---
+
+-- Stop here if the user doesn't want to allow s2s encryption
+if module:get_option("s2s_allow_encryption") == false then
+       return;
+end
+
+--- Server-to-server TLS handling
 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
                function (session, stanza)
                        if session.conn.starttls and host.ssl_ctx_in then
-                               session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls }));
+                               session.sends2s(st.stanza("proceed", starttls_attr));
                                session:reset_stream();
                                if session.to_host and hosts[session.to_host].ssl_ctx_in then
                                        session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in);
@@ -47,25 +69,12 @@ module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls,
                                session.secure = false;
                        else
                                session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection");
-                               (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls }));
+                               (session.sends2s or session.send)(st.stanza("failure", starttls_attr));
                                session:close();
                        end
                end);
 
 
-local starttls_attr = { xmlns = xmlns_starttls };
-module:add_event_hook("stream-features", 
-               function (session, features)
-                       if session.conn.starttls then
-                               features:tag("starttls", starttls_attr);
-                               if secure_auth_only then
-                                       features:tag("required"):up():up();
-                               else
-                                       features:up();
-                               end
-                       end
-               end);
-
 module:hook("s2s-stream-features", 
                function (data)
                        local session, features = data.session, data.features;