Updated sts_handle_capability to return FALSE after logging the no‑TLS warning, so the insecure upgrade path doesn’t stop capability negotiation; it still returns TRUE only when an STS upgrade/reconnect is initiated or already in progress.

Confirmed inbound_cap_ls only returns early when sts_upgrade_triggered is set by sts_handle_capability, which now only happens for real upgrade/reconnect initiation or in‑progress upgrades.
2026-03-10 07:50:19 +00:00 · 2026-02-04 12:42:04 -07:00
parent 2ecf1c18fb
commit 3d030a96b7
1 changed files with 2 additions and 1 deletions
--- a/src/common/sts.c
+++ b/src/common/sts.c
@@ -588,12 +588,13 @@ sts_handle_capability (struct server *serv, const char *value)
 			serv->disconnect (serv->server_session, FALSE, -1);
 			serv->connect (serv, host_copy, (int) port, serv->no_login);
 		}
+		return TRUE;
 #else
 		PrintTextf (serv->server_session,
 					_("STS upgrade requested for %s, but TLS is not available.\n"),
 					hostname);
+		return FALSE;
 #endif
-		return TRUE;
 	}

 	if (!has_duration)