login-common: ssl=required now requires TLS also for trusted connections

author Timo Sirainen <timo.sirainen@open-xchange.com>

Fri, 4 Nov 2022 23:10:57 +0000 (01:10 +0200)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Fri, 4 Nov 2022 23:10:57 +0000 (01:10 +0200)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c

index 5d2991726a89d2a5504872e101f44f70beab3a1d..fc837a499907e624acc24b33b4d9615d10ebdcbd 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -233,9 +233,14 @@ client_alloc(int fd, pool_t pool,
                 client->end_client_tls_secured = conn->haproxy.ssl;
                 client->local_name = conn->haproxy.hostname;
                 client->client_cert_common_name = conn->haproxy.cert_common_name;
-       } else {
-               client->connection_secured = client->connection_trusted ||
-                       net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip);
+       } else if (net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip)) {
+               /* localhost connections are always secured */
+               client->connection_secured = TRUE;
+       } else if (client->connection_trusted &&
+                  strcmp(client->ssl_set->ssl, "required") != 0) {
+               /* Connections from login_trusted_networks are assumed to be
+                  secured, except if ssl=required. */
+               client->connection_secured = TRUE;
         }
         client->proxy_ttl = LOGIN_PROXY_TTL;
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Fri, 4 Nov 2022 23:10:57 +0000 (01:10 +0200)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)