Only try DIGEST-MD5 if there's no SSL/TLS or if PLAIN isn't supported

Which in practice means "don't bother with DIGEST-MD5 most of the time". It's weak, pointless over TLS, and often breaks with some servers (hi openfire)
author: dequis <dx@dxzone.com.ar> 2015-07-30 00:20:30 -0300
committer: dequis <dx@dxzone.com.ar> 2015-07-30 00:20:30 -0300
commit: 91dd19caf16790c3b77818f8efd6cabaca209ecf (patch)
tree: aa7cff61ad891ed62461056bfd35fbfdcf0f257f /protocols
parent: adec7492dd1ed55e12dfb959414a9a2c3605deed (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c
index beb53fdd..86f428c9 100644
--- a/protocols/jabber/sasl.c
+++ b/protocols/jabber/sasl.c
@@ -153,7 +153,11 @@ xt_status sasl_pkt_mechanisms(struct xt_node *node, gpointer data)
 		imc_logout(ic, FALSE);
 		xt_free_node(reply);
 		return XT_ABORT;
-	} else if (sup_digest) {
+	} else if (sup_digest && !(jd->ssl && sup_plain)) {
+		/* Only try DIGEST-MD5 if there's no SSL/TLS or if PLAIN isn't supported.
+		 * Which in practice means "don't bother with DIGEST-MD5 most of the time".
+		 * It's weak, pointless over TLS, and often breaks with some servers (hi openfire) */
+
 		xt_add_attr(reply, "mechanism", "DIGEST-MD5");
 
 		/* The rest will be done later, when we receive a <challenge/>. */
author	dequis <dx@dxzone.com.ar>	2015-07-30 00:20:30 -0300
committer	dequis <dx@dxzone.com.ar>	2015-07-30 00:20:30 -0300
commit	91dd19caf16790c3b77818f8efd6cabaca209ecf (patch)
tree	aa7cff61ad891ed62461056bfd35fbfdcf0f257f /protocols
parent	adec7492dd1ed55e12dfb959414a9a2c3605deed (diff)