From 6e31981b3f9b1253c31d58216017f150b5c0f709 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Sat, 5 Nov 2022 01:10:57 +0200
Subject: [PATCH] login-common: ssl=required now requires TLS also for trusted
 connections

---
 src/login-common/client-common.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 5d2991726a..fc837a4999 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -233,9 +233,14 @@ client_alloc(int fd, pool_t pool,
 		client->end_client_tls_secured = conn->haproxy.ssl;
 		client->local_name = conn->haproxy.hostname;
 		client->client_cert_common_name = conn->haproxy.cert_common_name;
-	} else {
-		client->connection_secured = client->connection_trusted ||
-			net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip);
+	} else if (net_ip_compare(&conn->real_remote_ip, &conn->real_local_ip)) {
+		/* localhost connections are always secured */
+		client->connection_secured = TRUE;
+	} else if (client->connection_trusted &&
+		   strcmp(client->ssl_set->ssl, "required") != 0) {
+		/* Connections from login_trusted_networks are assumed to be
+		   secured, except if ssl=required. */
+		client->connection_secured = TRUE;
 	}
 	client->proxy_ttl = LOGIN_PROXY_TTL;
 
-- 
2.47.3