Skip to content
Permalink
Browse files Browse the repository at this point in the history
Make sure "starttls_required" can't be bypassed
Don't allow clients to circumvent the "starttls_required" option by
enabling XMPP stream compression.
  • Loading branch information
weiss committed Oct 12, 2014
1 parent 4bbf16b commit 7bdc115
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions src/ejabberd_c2s.erl
Expand Up @@ -735,7 +735,7 @@ wait_for_feature_request({xmlstreamelement, El},
(StateData#state.sockmod):get_sockmod(StateData#state.socket),
case {xml:get_attr_s(<<"xmlns">>, Attrs), Name} of
{?NS_SASL, <<"auth">>}
when not ((SockMod == gen_tcp) and TLSRequired) ->
when TLSEnabled or not TLSRequired ->
Mech = xml:get_attr_s(<<"mechanism">>, Attrs),
ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
case cyrsasl:server_start(StateData#state.sasl_state,
Expand Down Expand Up @@ -856,7 +856,7 @@ wait_for_feature_request({xmlstreamelement, El},
end
end;
_ ->
if (SockMod == gen_tcp) and TLSRequired ->
if TLSRequired and not TLSEnabled ->
Lang = StateData#state.lang,
send_element(StateData,
?POLICY_VIOLATION_ERR(Lang,
Expand Down

0 comments on commit 7bdc115

Please sign in to comment.