Software / code / prosody
Annotate
net/httpserver.lua @ 13289:38c95544b7ee
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 26 Oct 2023 15:14:39 +0100 |
| parent | 12974:ba409c67353b |
| rev | line source |
|---|---|
|
4784
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- COMPAT w/pre-0.9 |
|
12974
ba409c67353b
net: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
8679
diff
changeset
|
2 local log = require "prosody.util.logger".init("net.httpserver"); |
|
4784
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local traceback = debug.traceback; |
|
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
6780
647adfd8f738
net.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
4797
diff
changeset
|
5 local _ENV = nil; |
|
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7359
diff
changeset
|
6 -- luacheck: std none |
|
4784
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
|
8679
adc17a2bd6fd
net.httpserver: Make function local, fixes loading since there is no environment [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
8 local function fail() |
|
7359
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
6780
diff
changeset
|
9 log("error", "Attempt to use legacy HTTP API. For more info see https://prosody.im/doc/developers/legacy_http"); |
|
4784
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 log("error", "Legacy HTTP API usage, %s", traceback("", 2)); |
|
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 end |
|
e10b623ccecb
net.httpserver: Add compatibility stub
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
|
6780
647adfd8f738
net.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
4797
diff
changeset
|
13 return { |
|
647adfd8f738
net.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
4797
diff
changeset
|
14 new = fail; |
|
647adfd8f738
net.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
4797
diff
changeset
|
15 new_from_config = fail; |
|
647adfd8f738
net.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
4797
diff
changeset
|
16 set_default_handler = fail; |
|
647adfd8f738
net.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
4797
diff
changeset
|
17 }; |
