cryptotoad / prosody-modules

Automatically exported from code.google.com/p/prosody-modules
MIT License
0 stars 2 forks source link

s2s_never_encrypt_blacklist does not seem to work #59

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
s2s_never_encrypt_blacklist does not seem to work. I have set modules_enabled = 
{… "s2s_never_encrypt_blacklist", …} and tls_s2s_blacklist = { "web.de", 
"gmx.net", "gmail.com" }, but still it tries to connect to those servers using 
starttls: E.g. "gmx.de is offering TLS, taking up the offer..."

Using the hostname instead of the JID domainname does not make a difference.

I am using a Prosody 0.10 snapshot (6100:a868d5d6a83f) and Prosody Modules 
1490:b06b5ac5714b.

Minor usability notes:
* Please document whether the option requires actual hostnames or whether the 
domainname works.
* The option name tls_s2s_blacklist does not match the scheme of other options. 
s2s_blacklist_tls might be better.
* To create more consistency, the module could be named mod_s2s_blacklist_tls.
* In that context mod_disable_tls might be better named mod_c2s_disable_tls, 
too.

Original issue reported on code.google.com by devuran...@gmx.net on 18 Aug 2014 at 7:06

GoogleCodeExporter commented 9 years ago
I was wrong, maybe I looked at old output. Disabling encryption seems to work:
s2s_never_encrypt_blacklist    debug   disabling tls on incoming stream from 
web.de...

But in the end it does not help, because Prosody will reject all those servers 
with a policy-violation error:
Encrypted server-to-server communication is required but was not offered

So s2s_never_encrypt_blacklist should include the provisions Timothée Ravier 
made in his patch at 
https://groups.google.com/forum/#!topic/prosody-dev/NH6LBuwjCj4

Original comment by devuran...@gmx.net on 18 Aug 2014 at 12:14