fix #774

Don't advertise sasl=EXTERNAL to clients who aren't connected over native TLS, since even if they have TLS configured locally and they enable a client certificate, that information will be discarded by the reverse proxy.
2022-05-06 13:09:09 -04:00 · 2022-05-06 13:09:09 -04:00 · 05eaf3a0d8
commit 05eaf3a0d8
parent a13235880c
3 changed files with 19 additions and 2 deletions
--- a/irc/config.go
+++ b/irc/config.go
@ -591,6 +591,7 @@ type Config struct {
 		supportedCaps            *caps.Set
 		supportedCapsWithoutSTS  *caps.Set
 		capValues                caps.Values
+		capValuesNoExternal      caps.Values
 		Casemapping              Casemapping
 		EnforceUtf8              bool                `yaml:"enforce-utf8"`
 		OutputPath               string              `yaml:"output-path"`
@ -1388,7 +1389,7 @@ func LoadConfig(filename string) (config *Config, err error) {
 		config.Accounts.VHosts.validRegexp = defaultValidVhostRegex
 	}

-	saslCapValue := "PLAIN,EXTERNAL,SCRAM-SHA-256"
+	saslCapValue := "PLAIN,SCRAM-SHA-256,EXTERNAL"
 	// TODO(#1782) clean this up:
 	if !config.Accounts.AdvertiseSCRAM {
 		saslCapValue = "PLAIN,EXTERNAL"
@ -1544,6 +1545,9 @@ func LoadConfig(filename string) (config *Config, err error) {
 	config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
 	config.Server.supportedCapsWithoutSTS.Disable(caps.STS)

+	config.Server.capValuesNoExternal = utils.CopyMap(config.Server.capValues)
+	config.Server.capValuesNoExternal[caps.SASL] = strings.TrimSuffix(saslCapValue, ",EXTERNAL")
+
 	return config, nil
 }