login-common: ssl=required now requires TLS also for non-TLS/localhost haproxy connec...

author Timo Sirainen <timo.sirainen@open-xchange.com>

Mon, 14 Nov 2022 15:07:52 +0000 (17:07 +0200)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Mon, 14 Nov 2022 15:07:52 +0000 (17:07 +0200)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c

index fc837a499907e624acc24b33b4d9615d10ebdcbd..48e7daf0d731f2c110ff9520a6758dea9899ae9d 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -218,8 +218,13 @@ client_alloc(int fd, pool_t pool,
  
         if (conn->haproxied) {
                 /* haproxy connections are always coming from
-                  haproxy_trusted_networks, so we consider them secured. */
-               client->connection_secured = TRUE;
+                  haproxy_trusted_networks, so we consider them secured.
+                  However, ssl=required implies that the client connection is
+                  expected to be secured either via TLS or because the client
+                  is coming from localhost.  */
+               client->connection_secured = conn->haproxy.ssl ||
+                       net_ip_compare(&conn->remote_ip, &conn->local_ip) ||
+                       strcmp(client->ssl_set->ssl, "required") != 0;
                 /* Assume that the connection is also TLS secured if client
                    terminated TLS connections on haproxy. If haproxy isn't
                    running on localhost, the haproxy-Dovecot connection isn't
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Mon, 14 Nov 2022 15:07:52 +0000 (17:07 +0200)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Wed, 16 Nov 2022 08:09:54 +0000 (08:09 +0000)