Commit 4bdbde1a authored by Dave Cridland's avatar Dave Cridland

OF-1081 Enforce StartTLS policy even when dialback enabled

parent 7a1d02a5
......@@ -154,6 +154,9 @@ public class SocketConnection implements Connection {
xmlSerializer = new XMLSocketWriter(writer, this);
instances.put(this, "");
// Default this sensibly.
this.tlsPolicy = this.getConfiguration().getTlsPolicy();
}
/**
......
......@@ -483,6 +483,14 @@ public class ServerDialback {
final Logger log = LoggerFactory.getLogger( Log.getName() + "[Acting as Receiving Server: Validate domain:" + recipient + "(id " + streamID + ") for OS: " + remoteDomain + "]" );
log.debug( "Validating domain...");
if (connection.getTlsPolicy() == Connection.TLSPolicy.required &&
!connection.isSecure()) {
connection.deliverRawText(new StreamError(StreamError.Condition.policy_violation).toXML());
// Close the underlying connection
connection.close();
return false;
}
if (!RemoteServerManager.canAccess(remoteDomain)) {
connection.deliverRawText(new StreamError(StreamError.Condition.policy_violation).toXML());
// Close the underlying connection
......
......@@ -152,9 +152,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
// Remote server is XMPP 1.0 compliant so offer TLS and SASL to establish the connection (and server dialback)
// Indicate the TLS policy to use for this connection
Connection.TLSPolicy tlsPolicy =
ServerDialback.isEnabled() ? Connection.TLSPolicy.optional :
Connection.TLSPolicy.required;
Connection.TLSPolicy tlsPolicy = connection.getTlsPolicy();
boolean hasCertificates = false;
try {
hasCertificates = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore().size() > 0;
......
......@@ -312,6 +312,11 @@ public class LocalOutgoingServerSession extends LocalServerSession implements Ou
}
log.debug( "Unable to secure and authenticate the connection with TLS & SASL." );
}
else if (connection.getTlsPolicy() == Connection.TLSPolicy.required) {
log.debug("I have no StartTLS yet I must TLS");
connection.close();
return null;
}
// Check if we are going to try server dialback (XMPP 1.0)
else if (ServerDialback.isEnabled() && features.element("dialback") != null) {
log.debug( "Both us and the remote server support the 'dialback' feature. Authenticate the connection with dialback..." );
......@@ -340,9 +345,12 @@ public class LocalOutgoingServerSession extends LocalServerSession implements Ou
}
log.debug( "Something went wrong so close the connection and try server dialback over a plain connection" );
if (connection != null) {
if (connection.getTlsPolicy() == Connection.TLSPolicy.required) {
log.debug("I have no StartTLS yet I must TLS");
connection.close();
return null;
}
connection.close();
}
catch (SSLHandshakeException e)
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment