Hi,

I've read the XMPP TLS manifesto and I'd like to enforce it. But gmail.com 
doesn't do TLS and I'd like to exclude just this one.

I know that this is not ideal, but that's still better for me than the 
current status: not enforcing TLS for anyone.

The following patches are based on trunk sources and have been tested with 
0.9.4 at im.siosm.fr.

The first patch add the "s2s_no_encryption_domains" option to require 
encryption for everyone but gmail.com and updates the default configuration.
The second patch adds the commented ipv6 option to the default config.

Cheers,

Tim

----

diff -r f400a4cdf352 plugins/mod_s2s/mod_s2s.lua
--- a/plugins/mod_s2s/mod_s2s.lua       Sat May 17 18:17:34 2014 +0100
+++ b/plugins/mod_s2s/mod_s2s.lua       Wed May 21 03:05:30 2014 +0200
@@ -35,8 +35,10 @@
 local stream_close_timeout = module:get_option_number("s2s_close_timeout", 
5);
 local opt_keepalives = module:get_option_boolean("s2s_tcp_keepalives", 
module:get_option_boolean("tcp_keepalives", true));
 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); 
-- One day...
-local secure_domains, insecure_domains =
-       module:get_option_set("s2s_secure_domains", {})._items, 
module:get_option_set("s2s_insecure_domains", {})._items;
+local secure_domains, insecure_domains, no_encryption_domains =
+       module:get_option_set("s2s_secure_domains", {})._items,
+       module:get_option_set("s2s_insecure_domains", {})._items,
+       module:get_option_set("s2s_no_encryption_domains", {})._items;
 local require_encryption = 
module:get_option_boolean("s2s_require_encryption", false);
 
 local sessions = module:shared("sessions");
@@ -199,7 +201,7 @@
 function make_authenticated(event)
        local session, host = event.session, event.host;
        if not session.secure then
-               if require_encryption or (secure_auth and 
not(insecure_domains[host])) or secure_domains[host] then
+               if secure_domains[host] or not(no_encryption_domains[host]) 
and (require_encryption or (secure_auth and not(insecure_domains[host]))) 
then
                        session:close({
                                condition = "policy-violation",
                                text = "Encrypted server-to-server 
communication is required but was not "
diff -r f400a4cdf352 prosody.cfg.lua.dist
--- a/prosody.cfg.lua.dist      Sat May 17 18:17:34 2014 +0100
+++ b/prosody.cfg.lua.dist      Wed May 21 03:05:30 2014 +0200
@@ -96,6 +100,16 @@
 
 c2s_require_encryption = true
 
+-- Force encrypted server-to-server connections? This option will
+-- prevent servers from connecting unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Some servers don't support encryption. You can list domains here
+-- that will not require an encrypted connection.
+
+s2s_no_encryption_domains = { "gmail.com" }
+
 -- Force certificate authentication for server-to-server connections?
 -- This provides ideal security, but requires servers you communicate
 -- with to support encryption AND present valid, trusted certificates.
@@ -104,14 +118,15 @@
 
 s2s_secure_auth = false
 
--- Many servers don't support encryption or have invalid or self-signed
--- certificates. You can list domains here that will not be required to
--- authenticate using certificates. They will be authenticated using DNS.
+-- Many servers have invalid or self-signed certificates. You can list
+-- domains here that will not be required to authenticate using 
certificates.
+-- They will be authenticated using DNS.
 
 --s2s_insecure_domains = { "gmail.com" }
 
 -- Even if you leave s2s_secure_auth disabled, you can still require valid
--- certificates for some domains by specifying a list here.
+-- certificates for some domains by specifying a list here. This overrides
+-- s2s_no_encryption_domains.
 
 --s2s_secure_domains = { "jabber.org" }
 

----

diff -r f400a4cdf352 prosody.cfg.lua.dist
--- a/prosody.cfg.lua.dist      Sat May 17 18:17:34 2014 +0100
+++ b/prosody.cfg.lua.dist      Wed May 21 03:05:30 2014 +0200
@@ -26,6 +26,10 @@
 -- For more information see: http://prosody.im/doc/libevent
 --use_libevent = true
 
+-- Enable IPv6 support
+-- For more information see: http://prosody.im/doc/ipv6
+--use_ipv6 = true
+
 -- This is the list of modules Prosody will load on startup.
 -- It looks for mod_modulename.lua in the plugins folder, so make sure 
that exists too.
 -- Documentation on modules can be found at: http://prosody.im/doc/modules

-- 
You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to