#1006 prosody 0.10 does not handle s2s SASL EXTERNAL error gracefully
What steps will reproduce the problem?
1. use self-signed certificate (or otherwise "invalid" cert, e.g. CACert as it got removed from Debian's default CA list)
2. establish s2s connection to server offering SASL EXTERNAL
What is the expected output?
Some other authentication mechanism than "EXTERNAL" succeeds.
What do you see instead?
Prosody is closing the connection after receiving an error from the remote side.
What version of the product are you using? On what operating system?
prosody-0.10, Debian stretch
Please provide any additional information below.
I don't know what the correct behaviour would be. According to [XEP-0178] the EXTERNAL authentication should fail if the certificate can not be validated. On the other hand a [discussion on a mailing list] indicates that EXTERNAL should only be offered by the remote server if the certificate has been validated successfully. Unfortunately, prosody can change the behaviour of the remote server and at least ejabberd offers "EXTERNAL" unconditionally and fails after validating the certificate.
Prior to prosody-0.10 everything worked, because prosody was falling back to dns dialback. This fallback was removed in changeset .
Prosody is following the XEP here. ejabberd is not.
We made Prosody follow the XEP more strictly in 0.10, but ejabberd went in the opposite direction.
According to ancient scrolls of wisdom, we removed the fallback becasue ejabberd simply closed the connection when we attempted it, which caused problems. Since then, ejabberd has apparently stopped that.
Reverted in https://hg.prosody.im/0.10/rev/e1d274001855
We may add a switch to turn this on or off.