Check TLS state before requesting SASL EXTERNAL

Make sure a remote server can't circumvent "s2s_use_starttls: required" by offering SASL EXTERNAL authentication over a non-TLS connection.
author: Holger Weiss <holger@zedat.fu-berlin.de> 2014-04-24 11:04:10 +0200
committer: Holger Weiss <holger@zedat.fu-berlin.de> 2014-04-24 11:04:10 +0200
commit: d805d198acae4284a0f8512305c9180c2ac9dd08 (patch)
tree: 23b07e35ddc8695bf229a7234ce2a07e11d798ca
parent: Merge pull request #176 from hamano/devel (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index a0a83631d..e404207cd 100644
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -578,7 +578,9 @@ wait_for_features({xmlstreamelement, El}, StateData) ->
 		 {next_state, stream_established,
 		  StateData#state{queue = queue:new()}};
 	     SASLEXT and StateData#state.try_auth and
-	       (StateData#state.new /= false) ->
+	       (StateData#state.new /= false) and
+		 (StateData#state.tls_enabled or
+		   not StateData#state.tls_required) ->
 		 send_element(StateData,
 			      #xmlel{name = <<"auth">>,
 				     attrs =
author	Holger Weiss <holger@zedat.fu-berlin.de>	2014-04-24 11:04:10 +0200
committer	Holger Weiss <holger@zedat.fu-berlin.de>	2014-04-24 11:04:10 +0200
commit	d805d198acae4284a0f8512305c9180c2ac9dd08 (patch)
tree	23b07e35ddc8695bf229a7234ce2a07e11d798ca
parent	Merge pull request #176 from hamano/devel (diff)