12 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; |
12 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; |
13 |
13 |
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
16 |
16 |
|
17 local global_ssl_ctx = prosody.global_ssl_ctx; |
|
18 |
17 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
19 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
18 function (session, stanza) |
20 function (session, stanza) |
19 if session.conn.starttls then |
21 if session.conn.starttls then |
20 session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); |
22 session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); |
21 session:reset_stream(); |
23 session:reset_stream(); |
22 if session.host and hosts[session.host].ssl_ctx_in then |
24 local ssl_ctx = session.host and hosts[session.host].ssl_ctx_in or global_ssl_ctx; |
23 session.conn:set_sslctx(hosts[session.host].ssl_ctx_in); |
25 session.conn:starttls(ssl_ctx); |
24 end |
|
25 session.conn:starttls(); |
|
26 session.log("info", "TLS negotiation started..."); |
26 session.log("info", "TLS negotiation started..."); |
27 session.secure = false; |
27 session.secure = false; |
28 else |
28 else |
29 -- FIXME: What reply? |
29 -- FIXME: What reply? |
30 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
30 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
34 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, |
34 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, |
35 function (session, stanza) |
35 function (session, stanza) |
36 if session.conn.starttls then |
36 if session.conn.starttls then |
37 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); |
37 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); |
38 session:reset_stream(); |
38 session:reset_stream(); |
39 if session.to_host and hosts[session.to_host].ssl_ctx_in then |
39 local ssl_ctx = session.to_host and hosts[session.to_host].ssl_ctx_in or global_ssl_ctx; |
40 session.conn:set_sslctx(hosts[session.to_host].ssl_ctx_in); |
40 session.conn:starttls(ssl_ctx); |
41 end |
|
42 session.conn:starttls(); |
|
43 session.log("info", "TLS negotiation started for incoming s2s..."); |
41 session.log("info", "TLS negotiation started for incoming s2s..."); |
44 session.secure = false; |
42 session.secure = false; |
45 else |
43 else |
46 -- FIXME: What reply? |
44 -- FIXME: What reply? |
47 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); |
45 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); |