OF-2942: Give up S2S attempts immediately on conflicting settings

Abort outbound server-to-server attempts immediately (rather than waiting for a timeout), when: - the remote peer requires encryption, but the local server cannot do encryption - authentication mechanisms are exhausted (eg: no client cert for EXTERNAL, and Dialback unavailable)
igniterealtime · Jan 4, 2025 · a340aa9 · a340aa9
1 parent 2aa58ea
commit a340aa9
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2023-2024 Ignite Realtime Foundation. All rights reserved.
+ * Copyright (C) 2023-2025 Ignite Realtime Foundation. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -72,6 +72,10 @@ private static boolean remoteFeaturesContainsStartTLS(Element doc) {
         return doc.element("starttls") != null;
     }
 
+    private static boolean remoteFeaturesRequiresStartTLS(Element doc) {
+        return remoteFeaturesContainsStartTLS(doc) && doc.element("starttls").element("required") != null;
+    }
+
     private static boolean isSaslExternalOfferred(Element doc) {
         boolean saslEXTERNALoffered = false;
         if (doc.element("mechanisms") != null) {
@@ -194,6 +198,10 @@ boolean processUnknowPacket(Element doc) {
                 LOG.debug("I MUST use TLS but I have no StartTLS in features.");
                 abandonSessionInitiation();
                 return false;
+            } else if (cannotUseTls() && remoteFeaturesRequiresStartTLS(doc)) {
+                LOG.debug("I CANNOT use TLS but remote server requires the STARTTLS feature.");
+                abandonSessionInitiation();
+                return false;
             }
 
             // Authentication ------
@@ -227,6 +235,7 @@ boolean processUnknowPacket(Element doc) {
                 return true;
             } else {
                 LOG.debug("No authentication mechanism available.");
+                abandonSessionInitiation();
                 return false;
             }
         }
@@ -332,6 +341,10 @@ private boolean mustUseTls() {
         return connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required;
     }
 
+    private boolean cannotUseTls() {
+        return connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.disabled;
+    }
+
     @Override
     void startTLS() throws Exception {
         connection.startTLS(true, false);