prosody
38c95544b7ee
plugins/mod_c2s.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Diff

plugins/mod_c2s.lua @ 13289:38c95544b7ee

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).
author Matthew Wild <mwild1@gmail.com>
date Thu, 26 Oct 2023 15:14:39 +0100
parent 13280:cf8a6710c91c
child 13384:57ad1dfd8e8b
line wrap: on
line diff
--- a/plugins/mod_c2s.lua	Thu Oct 26 14:40:48 2023 +0100
+++ b/plugins/mod_c2s.lua	Thu Oct 26 15:14:39 2023 +0100
@@ -11,11 +11,9 @@
 local add_task = require "prosody.util.timer".add_task;
 local new_xmpp_stream = require "prosody.util.xmppstream".new;
 local nameprep = require "prosody.util.encodings".stringprep.nameprep;
-local certmanager = require "prosody.core.certmanager";
 local sessionmanager = require "prosody.core.sessionmanager";
 local statsmanager = require "prosody.core.statsmanager";
 local st = require "prosody.util.stanza";
-local pm_get_tls_config_at = require "core.portmanager".get_tls_config_at;
 local sm_new_session, sm_destroy_session = sessionmanager.new_session, sessionmanager.destroy_session;
 local uuid_generate = require "prosody.util.uuid".generate;
 local async = require "prosody.util.async";
@@ -309,11 +307,6 @@
 	if conn:ssl() then
 		session.secure = true;
 		session.encrypted = true;
-
-		local server = conn:server();
-		local tls_config = pm_get_tls_config_at(server:ip(), server:serverport());
-		local autocert = certmanager.find_host_cert(session.conn:socket():getsniname());
-		session.ssl_cfg = autocert or tls_config;
 		session.ssl_ctx = conn:sslctx();
 
 		-- Check if TLS compression is used