From 65f43a4fc40d1108cd8e0fddf27512e1b618bf51 Mon Sep 17 00:00:00 2001
From: Simon Arlott <sa.me.uk>
Date: Sun, 24 Apr 2016 11:49:21 +0100
Subject: [PATCH] ircd: Don't try to connect to servers that we know have an
 invalid fingerprint

This just causes an unnecessary link/squit on the other server.
---
 ircd/s_serv.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ircd/s_serv.c b/ircd/s_serv.c
index ac1737dd..734efb9e 100644
--- a/ircd/s_serv.c
+++ b/ircd/s_serv.c
@@ -1257,6 +1257,18 @@ serv_connect_callback(rb_fde_t *F, int status, void *data)
 		return;
 	}
 
+	if(server_p->certfp && (!client_p->certfp || rb_strcasecmp(server_p->certfp, client_p->certfp) != 0))
+	{
+		sendto_realops_snomask(SNO_GENERAL, is_remote_connect(client_p) ? L_NETWIDE : L_ALL,
+		     "Connection to %s has invalid certificate fingerprint %s",
+		     client_p->name, client_p->certfp);
+		ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s",
+		     client_p->certfp, log_client_name(client_p, SHOW_IP));
+
+		exit_client(client_p, client_p, &me, "Invalid fingerprint.");
+		return;
+	}
+
 	/* Next, send the initial handshake */
 	SetHandshake(client_p);