Merge pull request #316 from weiss/really-require-tls

Make sure "starttls_required" can't be bypassed
author: Evgeny Khramtsov <xramtsov@gmail.com> 2014-10-12 11:05:49 +0400
committer: Evgeny Khramtsov <xramtsov@gmail.com> 2014-10-12 11:05:49 +0400
commit: 97fa57c360af4ae534d0a07dfedcddb2f1a3c70c (patch)
tree: 7712041c6323e6fc9e9125551479467af9d53113 /src
parent: Fix list unblocking when Riak is used as a backend (diff)
parent: Make sure "starttls_required" can't be bypassed (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 9bfe225cf..1591e6ffa 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -735,7 +735,7 @@ wait_for_feature_request({xmlstreamelement, El},
 	(StateData#state.sockmod):get_sockmod(StateData#state.socket),
     case {xml:get_attr_s(<<"xmlns">>, Attrs), Name} of
       {?NS_SASL, <<"auth">>}
-	  when not ((SockMod == gen_tcp) and TLSRequired) ->
+	  when TLSEnabled or not TLSRequired ->
 	  Mech = xml:get_attr_s(<<"mechanism">>, Attrs),
 	  ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
 	  case cyrsasl:server_start(StateData#state.sasl_state,
@@ -856,7 +856,7 @@ wait_for_feature_request({xmlstreamelement, El},
 		end
 	  end;
       _ ->
-	  if (SockMod == gen_tcp) and TLSRequired ->
+	  if TLSRequired and not TLSEnabled ->
 		 Lang = StateData#state.lang,
 		 send_element(StateData,
 			      ?POLICY_VIOLATION_ERR(Lang,
author	Evgeny Khramtsov <xramtsov@gmail.com>	2014-10-12 11:05:49 +0400
committer	Evgeny Khramtsov <xramtsov@gmail.com>	2014-10-12 11:05:49 +0400
commit	97fa57c360af4ae534d0a07dfedcddb2f1a3c70c (patch)
tree	7712041c6323e6fc9e9125551479467af9d53113 /src
parent	Fix list unblocking when Riak is used as a backend (diff)
parent	Make sure "starttls_required" can't be bypassed (diff)