From 7bdc1151b11d26d33649c5cce2817b74a4f231a8 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Sun, 12 Oct 2014 02:08:08 +0200 Subject: [PATCH] Make sure "starttls_required" can't be bypassed Don't allow clients to circumvent the "starttls_required" option by enabling XMPP stream compression. --- src/ejabberd_c2s.erl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl index 9bfe225..1591e6f 100644 --- a/src/ejabberd_c2s.erl +++ b/src/ejabberd_c2s.erl @@ -718,7 +718,7 @@ wait_for_feature_request({xmlstreamelement, El}, (StateData#state.sockmod):get_sockmod(StateData#state.socket), case {xml:get_attr_s(<<"xmlns">>, Attrs), Name} of {?NS_SASL, <<"auth">>} - when not ((SockMod == gen_tcp) and TLSRequired) -> + when TLSEnabled or not TLSRequired -> Mech = xml:get_attr_s(<<"mechanism">>, Attrs), ClientIn = jlib:decode_base64(xml:get_cdata(Els)), case cyrsasl:server_start(StateData#state.sasl_state, @@ -832,7 +832,7 @@ wait_for_feature_request({xmlstreamelement, El}, end end; _ -> - if (SockMod == gen_tcp) and TLSRequired -> + if TLSRequired and not TLSEnabled -> Lang = StateData#state.lang, send_element(StateData, ?POLICY_VIOLATION_ERR(Lang, -- 2.1.2