From a340aa9c743c26b302aa94bb4eae3e80e74aa659 Mon Sep 17 00:00:00 2001
From: Guus der Kinderen <guus.der.kinderen@gmail.com>
Date: Sat, 4 Jan 2025 18:48:48 +0100
Subject: [PATCH] OF-2942: Give up S2S attempts immediately on conflicting
 settings

Abort outbound server-to-server attempts immediately (rather than waiting for a timeout), when:
- the remote peer requires encryption, but the local server cannot do encryption
- authentication mechanisms are exhausted (eg: no client cert for EXTERNAL, and Dialback unavailable)
---
 .../net/RespondingServerStanzaHandler.java        | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java
index 5a61c3c58b..efa479b1c4 100644
--- a/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java
+++ b/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2023-2024 Ignite Realtime Foundation. All rights reserved.
+ * Copyright (C) 2023-2025 Ignite Realtime Foundation. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -72,6 +72,10 @@ private static boolean remoteFeaturesContainsStartTLS(Element doc) {
         return doc.element("starttls") != null;
     }
 
+    private static boolean remoteFeaturesRequiresStartTLS(Element doc) {
+        return remoteFeaturesContainsStartTLS(doc) && doc.element("starttls").element("required") != null;
+    }
+
     private static boolean isSaslExternalOfferred(Element doc) {
         boolean saslEXTERNALoffered = false;
         if (doc.element("mechanisms") != null) {
@@ -194,6 +198,10 @@ boolean processUnknowPacket(Element doc) {
                 LOG.debug("I MUST use TLS but I have no StartTLS in features.");
                 abandonSessionInitiation();
                 return false;
+            } else if (cannotUseTls() && remoteFeaturesRequiresStartTLS(doc)) {
+                LOG.debug("I CANNOT use TLS but remote server requires the STARTTLS feature.");
+                abandonSessionInitiation();
+                return false;
             }
 
             // Authentication ------
@@ -227,6 +235,7 @@ boolean processUnknowPacket(Element doc) {
                 return true;
             } else {
                 LOG.debug("No authentication mechanism available.");
+                abandonSessionInitiation();
                 return false;
             }
         }
@@ -332,6 +341,10 @@ private boolean mustUseTls() {
         return connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.required;
     }
 
+    private boolean cannotUseTls() {
+        return connection.getConfiguration().getTlsPolicy() == Connection.TLSPolicy.disabled;
+    }
+
     @Override
     void startTLS() throws Exception {
         connection.startTLS(true, false);