--- a/libpurple/protocols/jabber/jabber.c Sat Nov 25 15:52:27 2017 -0600
+++ b/libpurple/protocols/jabber/jabber.c Fri Dec 08 02:01:18 2017 +0000
@@ -220,33 +220,32 @@
account = purple_connection_get_account(js->gc);
- * This code DOES NOT EXIST, will never be enabled by default, and
- * will never ever be supported (by me).
- * It's literally *only* for developer testing.
+ /* It's a secure BOSH connection, just return FALSE and skip, without doing anything extra. + * XEP-0206 (XMPP Over BOSH): The client SHOULD ignore any Transport Layer Security (TLS) + * feature since BOSH channel encryption SHOULD be negotiated at the HTTP layer. + * Note: we are already receiving STARTTLS at this point from a SSL/TLS BOSH connection, + * so it is not necessary to check if purple_ssl_is_supported().
- const gchar *connection_security = purple_account_get_string(account, "connection_security", JABBER_DEFAULT_REQUIRE_TLS);
- if (!purple_strequal(connection_security, "none") &&
- purple_ssl_is_supported()) {
- "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
+ if (js->bosh && jabber_bosh_connection_is_ssl(js->bosh)) {
- if(purple_ssl_is_supported()) {
+ /* Otherwise, it's a standard XMPP connection, or a HTTP (insecure) BOSH connection. + * We request STARTTLS for standard XMPP connections, but we do nothing for insecure + * BOSH connections, per XEP-0206. */ + if(purple_ssl_is_supported() && !js->bosh) { "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
- purple_debug_warning("jabber", "No libpurple TLS/SSL support found.");
+ /* It's an insecure standard XMPP connection, or an insecure BOSH connection, let's + * ignore STARTTLS even it's required by the server to prevent disabling HTTP BOSH + * entirely (sysadmin is responsible to provide HTTPS-only BOSH if security is required), + * and emit errors if encryption is required by the user. */ starttls = xmlnode_get_child(packet, "starttls");
- if(xmlnode_get_child(starttls, "required")) {
+ if(!js->bosh && xmlnode_get_child(starttls, "required")) { purple_connection_error_reason(js->gc,
PURPLE_CONNECTION_ERROR_NO_SSL_SUPPORT,
_("Server requires TLS/SSL, but no TLS/SSL support was found."));