prosody
38c95544b7ee
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 13289:38c95544b7ee
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 26 Oct 2023 15:14:39 +0100 |
| parent | 13288:9a371b046e58 |
| child | 13290:c5767b7528ac |
comparison
equal
deleted
inserted
replaced
| 13288:9a371b046e58 | 13289:38c95544b7ee |
|---|---|
| 17 local hex = require "prosody.util.hex"; | 17 local hex = require "prosody.util.hex"; |
| 18 local pem2der = require"util.x509".pem2der; | 18 local pem2der = require"util.x509".pem2der; |
| 19 local hashes = require"util.hashes"; | 19 local hashes = require"util.hashes"; |
| 20 local ssl = require "ssl"; -- FIXME Isolate LuaSec from the rest of the code | 20 local ssl = require "ssl"; -- FIXME Isolate LuaSec from the rest of the code |
| 21 | 21 |
| 22 local certmanager = require "core.certmanager"; | |
| 23 local pm_get_tls_config_at = require "prosody.core.portmanager".get_tls_config_at; | |
| 22 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; | 24 local usermanager_get_sasl_handler = require "prosody.core.usermanager".get_sasl_handler; |
| 23 | 25 |
| 24 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); | 26 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true)); |
| 25 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 27 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
| 26 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); | 28 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
| 328 sasl_handler:add_cb_handler("tls-unique", tls_unique); | 330 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
| 329 channel_bindings:add("tls-unique"); | 331 channel_bindings:add("tls-unique"); |
| 330 else | 332 else |
| 331 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); | 333 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)"); |
| 332 end | 334 end |
| 333 local certfile = origin.ssl_cfg and origin.ssl_cfg.certificate; | 335 |
| 334 -- FIXME .ssl_cfg is set by mod_tls and thus only available with starttls | 336 local certfile; |
| 335 if tls_server_end_point_hash then | 337 if tls_server_end_point_hash == "auto" then |
| 338 local ssl_cfg = origin.ssl_cfg; | |
| 339 if not ssl_cfg then | |
| 340 local server = origin.conn:server(); | |
| 341 local tls_config = pm_get_tls_config_at(server:ip(), server:serverport()); | |
| 342 local autocert = certmanager.find_host_cert(origin.conn:socket():getsniname()); | |
| 343 ssl_cfg = autocert or tls_config; | |
| 344 end | |
| 345 | |
| 346 certfile = ssl_cfg and ssl_cfg.certificate; | |
| 347 if certfile then | |
| 348 log("debug", "Channel binding 'tls-server-end-point' can be offered based on the certificate used"); | |
| 349 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); | |
| 350 channel_bindings:add("tls-server-end-point"); | |
| 351 else | |
| 352 log("debug", "Channel binding 'tls-server-end-point' set to 'auto' but cannot determine cert"); | |
| 353 end | |
| 354 elseif tls_server_end_point_hash then | |
| 336 log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash"); | 355 log("debug", "Channel binding 'tls-server-end-point' can be offered with the configured certificate hash"); |
| 337 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); | 356 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); |
| 338 channel_bindings:add("tls-server-end-point"); | 357 channel_bindings:add("tls-server-end-point"); |
| 339 elseif certfile then | |
| 340 log("debug", "Channel binding 'tls-server-end-point' can be offered based on the certificate used"); | |
| 341 sasl_handler:add_cb_handler("tls-server-end-point", tls_server_end_point); | |
| 342 channel_bindings:add("tls-server-end-point"); | |
| 343 end | 358 end |
| 359 | |
| 344 sasl_handler["userdata"] = { | 360 sasl_handler["userdata"] = { |
| 345 ["tls-unique"] = origin.conn; | 361 ["tls-unique"] = origin.conn; |
| 346 ["tls-exporter"] = origin.conn; | 362 ["tls-exporter"] = origin.conn; |
| 347 ["tls-server-end-point-cert"] = certfile; | 363 ["tls-server-end-point-cert"] = certfile; |
| 348 ["tls-server-end-point-conn"] = origin.conn; | 364 ["tls-server-end-point-conn"] = origin.conn; |
