12 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; |
12 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; |
13 |
13 |
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
16 |
16 |
|
17 local host = hosts[module.host]; |
|
18 |
17 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
19 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
18 function (session, stanza) |
20 function (session, stanza) |
19 if session.conn.starttls then |
21 if session.conn.starttls and host.ssl_ctx_in then |
20 session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); |
22 session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); |
21 session:reset_stream(); |
23 session:reset_stream(); |
22 if session.host and hosts[session.host].ssl_ctx_in then |
24 if session.host and hosts[session.host].ssl_ctx_in then |
23 session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); |
25 session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); |
24 end |
26 end |
25 session.conn.starttls(); |
27 session.conn.starttls(); |
26 session.log("info", "TLS negotiation started..."); |
28 session.log("info", "TLS negotiation started..."); |
27 session.secure = false; |
29 session.secure = false; |
28 else |
30 else |
29 -- FIXME: What reply? |
|
30 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
31 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
|
32 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); |
|
33 session:close(); |
31 end |
34 end |
32 end); |
35 end); |
33 |
36 |
34 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, |
37 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, |
35 function (session, stanza) |
38 function (session, stanza) |
36 if session.conn.starttls then |
39 if session.conn.starttls and host.ssl_ctx_in then |
37 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); |
40 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); |
38 session:reset_stream(); |
41 session:reset_stream(); |
39 if session.to_host and hosts[session.to_host].ssl_ctx_in then |
42 if session.to_host and hosts[session.to_host].ssl_ctx_in then |
40 session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); |
43 session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); |
41 end |
44 end |
42 session.conn.starttls(); |
45 session.conn.starttls(); |
43 session.log("info", "TLS negotiation started for incoming s2s..."); |
46 session.log("info", "TLS negotiation started for incoming s2s..."); |
44 session.secure = false; |
47 session.secure = false; |
45 else |
48 else |
46 -- FIXME: What reply? |
|
47 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); |
49 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); |
|
50 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); |
|
51 session:close(); |
48 end |
52 end |
49 end); |
53 end); |
50 |
54 |
51 |
55 |
52 local starttls_attr = { xmlns = xmlns_starttls }; |
56 local starttls_attr = { xmlns = xmlns_starttls }; |
64 |
68 |
65 module:hook("s2s-stream-features", |
69 module:hook("s2s-stream-features", |
66 function (data) |
70 function (data) |
67 local session, features = data.session, data.features; |
71 local session, features = data.session, data.features; |
68 if session.to_host and session.conn.starttls then |
72 if session.to_host and session.conn.starttls then |
69 features:tag("starttls", starttls_attr):up(); |
73 features:tag("starttls", starttls_attr); |
70 if secure_s2s_only then |
74 if secure_s2s_only then |
71 features:tag("required"):up():up(); |
75 features:tag("required"):up():up(); |
72 else |
76 else |
73 features:up(); |
77 features:up(); |
74 end |
78 end |