prosody
38c95544b7ee
plugins/mod_c2s.lua
Software / code / prosody
Comparison
plugins/mod_c2s.lua @ 13289:38c95544b7ee
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 26 Oct 2023 15:14:39 +0100 |
| parent | 13280:cf8a6710c91c |
| child | 13384:57ad1dfd8e8b |
comparison
equal
deleted
inserted
replaced
| 13288:9a371b046e58 | 13289:38c95544b7ee |
|---|---|
| 9 module:set_global(); | 9 module:set_global(); |
| 10 | 10 |
| 11 local add_task = require "prosody.util.timer".add_task; | 11 local add_task = require "prosody.util.timer".add_task; |
| 12 local new_xmpp_stream = require "prosody.util.xmppstream".new; | 12 local new_xmpp_stream = require "prosody.util.xmppstream".new; |
| 13 local nameprep = require "prosody.util.encodings".stringprep.nameprep; | 13 local nameprep = require "prosody.util.encodings".stringprep.nameprep; |
| 14 local certmanager = require "prosody.core.certmanager"; | |
| 15 local sessionmanager = require "prosody.core.sessionmanager"; | 14 local sessionmanager = require "prosody.core.sessionmanager"; |
| 16 local statsmanager = require "prosody.core.statsmanager"; | 15 local statsmanager = require "prosody.core.statsmanager"; |
| 17 local st = require "prosody.util.stanza"; | 16 local st = require "prosody.util.stanza"; |
| 18 local pm_get_tls_config_at = require "core.portmanager".get_tls_config_at; | |
| 19 local sm_new_session, sm_destroy_session = sessionmanager.new_session, sessionmanager.destroy_session; | 17 local sm_new_session, sm_destroy_session = sessionmanager.new_session, sessionmanager.destroy_session; |
| 20 local uuid_generate = require "prosody.util.uuid".generate; | 18 local uuid_generate = require "prosody.util.uuid".generate; |
| 21 local async = require "prosody.util.async"; | 19 local async = require "prosody.util.async"; |
| 22 local runner = async.runner; | 20 local runner = async.runner; |
| 23 | 21 |
| 307 | 305 |
| 308 -- Client is using Direct TLS or legacy SSL (otherwise mod_tls sets this flag) | 306 -- Client is using Direct TLS or legacy SSL (otherwise mod_tls sets this flag) |
| 309 if conn:ssl() then | 307 if conn:ssl() then |
| 310 session.secure = true; | 308 session.secure = true; |
| 311 session.encrypted = true; | 309 session.encrypted = true; |
| 312 | |
| 313 local server = conn:server(); | |
| 314 local tls_config = pm_get_tls_config_at(server:ip(), server:serverport()); | |
| 315 local autocert = certmanager.find_host_cert(session.conn:socket():getsniname()); | |
| 316 session.ssl_cfg = autocert or tls_config; | |
| 317 session.ssl_ctx = conn:sslctx(); | 310 session.ssl_ctx = conn:sslctx(); |
| 318 | 311 |
| 319 -- Check if TLS compression is used | 312 -- Check if TLS compression is used |
| 320 local info = conn:ssl_info(); | 313 local info = conn:ssl_info(); |
| 321 if type(info) == "table" then | 314 if type(info) == "table" then |
