Merge pull request #694 from surevine/of1081

OF-1081 Enforce StartTLS policy even when dialback enabled

src/java/org/jivesoftware/openfire/net/SocketConnection.java

@@ -154,6 +154,9 @@ public class SocketConnection implements Connection {
         xmlSerializer = new XMLSocketWriter(writer, this);
 
         instances.put(this, "");
+
+        // Default this sensibly.
+        this.tlsPolicy = this.getConfiguration().getTlsPolicy();
     }
 
     /**

src/java/org/jivesoftware/openfire/server/ServerDialback.java

@@ -483,6 +483,14 @@ public class ServerDialback {
         final Logger log = LoggerFactory.getLogger( Log.getName() + "[Acting as Receiving Server: Validate domain:" + recipient + "(id " + streamID + ") for OS: " + remoteDomain + "]" );
 
         log.debug( "Validating domain...");
+        if (connection.getTlsPolicy() == Connection.TLSPolicy.required &&
+                !connection.isSecure()) {
+            connection.deliverRawText(new StreamError(StreamError.Condition.policy_violation).toXML());
+            // Close the underlying connection
+            connection.close();
+            return false;
+        }
+
         if (!RemoteServerManager.canAccess(remoteDomain)) {
             connection.deliverRawText(new StreamError(StreamError.Condition.policy_violation).toXML());
             // Close the underlying connection

src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java

@@ -152,9 +152,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
                 // Remote server is XMPP 1.0 compliant so offer TLS and SASL to establish the connection (and server dialback)
 
 	            // Indicate the TLS policy to use for this connection
-	            Connection.TLSPolicy tlsPolicy =
-	                    ServerDialback.isEnabled() ? Connection.TLSPolicy.optional :
-	                            Connection.TLSPolicy.required;
+	            Connection.TLSPolicy tlsPolicy = connection.getTlsPolicy();
 	            boolean hasCertificates = false;
 	            try {
 	                hasCertificates = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore().size() > 0;

src/java/org/jivesoftware/openfire/session/LocalOutgoingServerSession.java

@@ -312,6 +312,11 @@ public class LocalOutgoingServerSession extends LocalServerSession implements Ou
                         }
                         log.debug( "Unable to secure and authenticate the connection with TLS & SASL." );
                     }
+                    else if (connection.getTlsPolicy() == Connection.TLSPolicy.required) {
+                        log.debug("I have no StartTLS yet I must TLS");
+                        connection.close();
+                        return null;
+                    }
                     // Check if we are going to try server dialback (XMPP 1.0)
                     else if (ServerDialback.isEnabled() && features.element("dialback") != null) {
                         log.debug( "Both us and the remote server support the 'dialback' feature. Authenticate the connection with dialback..." );
@@ -340,9 +345,12 @@ public class LocalOutgoingServerSession extends LocalServerSession implements Ou
             }
 
             log.debug( "Something went wrong so close the connection and try server dialback over a plain connection" );
-            if (connection != null) {
+            if (connection.getTlsPolicy() == Connection.TLSPolicy.required) {
+                log.debug("I have no StartTLS yet I must TLS");
                 connection.close();
+                return null;
             }
+            connection.close();
         }
         catch (SSLHandshakeException e)
         {