this seems to be the only location where the SASL authentication methods are sent to the client, so if you change it like this the server seems to be no longer able to send SASL methods. Or did I miss something?
Does this RFC also apply for s2s, there’'s very similar code in IncomingServerSession.java?
Ahh, then my guess would be that the SASLAuthentication.getSASLMechanisms call should be moved into the getAvailableStreamFeatures method at the same place that the iq-auth is announced.
And on the IncomingServerSession you’‘d need to do a similar check for ‘‘is tls required’’/’‘issecure’’, and only announce the sasl mechs if it’‘s secure, or doesn’'t require tls.