From d79cb13fd59c9cc01d5e26b006dccb7a0a9668d0 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 22 Dec 2022 12:12:11 +0200
Subject: [PATCH] login-common: Disconnect reason - Check for missing SSL certs
 before auth attempts

---
 src/login-common/client-common.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 33e42d4370..e962537b96 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -1110,19 +1110,23 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 	unsigned int auth_secs = client->auth_first_started == 0 ? 0 :
 		ioloop_time - client->auth_first_started;
 
-	if (client->set->auth_ssl_require_client_cert &&
-	    client->ssl_iostream != NULL) {
+	if (!client->notified_auth_ready)
+		return t_strdup_printf(
+			"disconnected before auth was ready, waited %u secs",
+			(unsigned int)(ioloop_time - client->created.tv_sec));
+
+	/* Check for missing client SSL certificates before auth attempts.
+	   We may have advertised LOGINDISABLED, which would have prevented
+	   client from even attempting to authenticate. */
+	if (client->set->auth_ssl_require_client_cert) {
+		if (client->ssl_iostream == NULL)
+			return "cert required, client didn't start TLS";
 		if (ssl_iostream_has_broken_client_cert(client->ssl_iostream))
 			return "client sent an invalid cert";
 		if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream))
 			return "client didn't send a cert";
 	}
 
-	if (!client->notified_auth_ready)
-		return t_strdup_printf(
-			"disconnected before auth was ready, waited %u secs",
-			(unsigned int)(ioloop_time - client->created.tv_sec));
-
 	if (client->auth_attempts == 0) {
 		if (!client->banner_sent) {
 			/* disconnected by a plugin */
@@ -1132,11 +1136,6 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 			(unsigned int)(ioloop_time - client->created.tv_sec));
 	}
 
-	/* some auth attempts without SSL/TLS */
-	if (client->set->auth_ssl_require_client_cert &&
-	    client->ssl_iostream == NULL)
-		return "cert required, client didn't start TLS";
-
 	if (client->auth_client_continue_pending && client->auth_attempts == 1) {
 		return t_strdup_printf("client didn't finish SASL auth, "
 				       "waited %u secs", auth_secs);
-- 
2.47.3