prosody
1bfd238e05ad
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 11212:1bfd238e05ad 0.11
mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
The 'tls-unique' channel binding is undefined in TLS 1.3 according to a
single sentence in parenthesis in Apendix C of RFC 8446
This may trigger downgrade protection in clients that were expecting
channel binding to be available.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 23 Nov 2020 21:42:52 +0100 |
| parent | 8513:c6be9bbd0a1a |
| child | 11213:992c4498a1e3 |
comparison
equal
deleted
inserted
replaced
| 11210:75636bf13bf0 | 11212:1bfd238e05ad |
|---|---|
| 250 if origin.encrypted then | 250 if origin.encrypted then |
| 251 -- check wether LuaSec has the nifty binding to the function needed for tls-unique | 251 -- check wether LuaSec has the nifty binding to the function needed for tls-unique |
| 252 -- FIXME: would be nice to have this check only once and not for every socket | 252 -- FIXME: would be nice to have this check only once and not for every socket |
| 253 if sasl_handler.add_cb_handler then | 253 if sasl_handler.add_cb_handler then |
| 254 local socket = origin.conn:socket(); | 254 local socket = origin.conn:socket(); |
| 255 if socket.getpeerfinished then | 255 local info = socket.info and socket:info(); |
| 256 if info.protocol == "TLSv1.3" then | |
| 257 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); | |
| 258 elseif socket.getpeerfinished then | |
| 256 sasl_handler:add_cb_handler("tls-unique", tls_unique); | 259 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
| 257 end | 260 end |
| 258 sasl_handler["userdata"] = { | 261 sasl_handler["userdata"] = { |
| 259 ["tls-unique"] = socket; | 262 ["tls-unique"] = socket; |
| 260 }; | 263 }; |
