What steps will reproduce the problem? 0. A remote server with `dialback_without_dialback = true` set 1. Establish outgoing s2s connection with certificate authentication 2. Send <db:result id='x' to="victim.example" from="impersonated.example"/> What is the expected output? Rejected because no valid certificate for 'impersonated.example' and eventually failed dialback. What do you see instead? <db:result id='x' type='valid' to='impersonated.example' from='victim.example'/> What version of the product are you using? Affects 0.10.0 until current trunk. Please provide any additional information below. mod_dialback with d-w-d enabled passes the hostname to be authenticated to function `check_cert_status(session)` that uses `session.from_host` or `.to_host` as identity to validate the certificate against. Thus if this is done on a connection already authenticated via certificate, future attempts will always succeed.

Whole D-W-D feature removed in https://hg.prosody.im/trunk/rev/d0e9ffccdef9 A fix can be seen in https://hg.prosody.im/trunk/rev/6be890ca492e but overall confidence with the workings of the feature, along with low likelihood of being used led us to remove it instead.

• owner Zash
• tags Hidden Milestone-0.11 Status-Fixed