diff options
author | Gary Kramlich <grim@reaperworld.com> | 2017-12-08 02:01:18 +0000 |
---|---|---|
committer | Gary Kramlich <grim@reaperworld.com> | 2017-12-08 02:01:18 +0000 |
commit | fbabfee37f01e9fe286be74476ffdad9fae4e905 (patch) | |
tree | 68e94188764280612d79c2179abec1658b87ac26 | |
parent | 5c3cf26f08de066f7631025d5113824ff2ce217a (diff) | |
parent | e04b1b510b0a51f9136958326294f2b4a7779edc (diff) | |
download | pidgin-fbabfee37f01e9fe286be74476ffdad9fae4e905.tar.gz |
Merged in yazawanico/main/release-2.x.y (pull request #293)
jabber.c: fix #17270, ignore STARTTLS when using BOSH.
Approved-by: Eion Robb <eionrobb@gmail.com>
Approved-by: Gary Kramlich <grim@reaperworld.com>
-rw-r--r-- | libpurple/protocols/jabber/jabber.c | 37 |
1 files changed, 18 insertions, 19 deletions
diff --git a/libpurple/protocols/jabber/jabber.c b/libpurple/protocols/jabber/jabber.c index de1de6b944..ca6640ed02 100644 --- a/libpurple/protocols/jabber/jabber.c +++ b/libpurple/protocols/jabber/jabber.c @@ -220,33 +220,32 @@ jabber_process_starttls(JabberStream *js, xmlnode *packet) account = purple_connection_get_account(js->gc); -#if 0 - /* - * This code DOES NOT EXIST, will never be enabled by default, and - * will never ever be supported (by me). - * It's literally *only* for developer testing. + /* It's a secure BOSH connection, just return FALSE and skip, without doing anything extra. + * XEP-0206 (XMPP Over BOSH): The client SHOULD ignore any Transport Layer Security (TLS) + * feature since BOSH channel encryption SHOULD be negotiated at the HTTP layer. + * + * Note: we are already receiving STARTTLS at this point from a SSL/TLS BOSH connection, + * so it is not necessary to check if purple_ssl_is_supported(). */ - { - const gchar *connection_security = purple_account_get_string(account, "connection_security", JABBER_DEFAULT_REQUIRE_TLS); - if (!purple_strequal(connection_security, "none") && - purple_ssl_is_supported()) { - jabber_send_raw(js, - "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1); - return TRUE; - } + if (js->bosh && jabber_bosh_connection_is_ssl(js->bosh)) { + return FALSE; } -#else - if(purple_ssl_is_supported()) { + + /* Otherwise, it's a standard XMPP connection, or a HTTP (insecure) BOSH connection. + * We request STARTTLS for standard XMPP connections, but we do nothing for insecure + * BOSH connections, per XEP-0206. */ + if(purple_ssl_is_supported() && !js->bosh) { jabber_send_raw(js, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1); return TRUE; - } else { - purple_debug_warning("jabber", "No libpurple TLS/SSL support found."); } -#endif + /* It's an insecure standard XMPP connection, or an insecure BOSH connection, let's + * ignore STARTTLS even it's required by the server to prevent disabling HTTP BOSH + * entirely (sysadmin is responsible to provide HTTPS-only BOSH if security is required), + * and emit errors if encryption is required by the user. */ starttls = xmlnode_get_child(packet, "starttls"); - if(xmlnode_get_child(starttls, "required")) { + if(!js->bosh && xmlnode_get_child(starttls, "required")) { purple_connection_error_reason(js->gc, PURPLE_CONNECTION_ERROR_NO_SSL_SUPPORT, _("Server requires TLS/SSL, but no TLS/SSL support was found.")); |