File

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).

# Tombstones

[Client] Romeo
	jid: romeo@localhost
	password: password

[Client] Juliet
	jid: juliet-tombstones@localhost
	password: password

---------

Romeo connects

Juliet connects

Juliet sends:
	<iq type="set" id="bye">
		<query xmlns="jabber:iq:register">
			<remove/>
		</query>
	</iq>

# Scansion gets disconnected right after this with a stream error makes
# scansion itself abort, so we preemptively disconnect to avoid that
# Juliet receives:
#	<iq type="result" id="bye"/>

Juliet disconnects

Romeo sends:
	<presence type="probe" to="${Juliet's JID}"/>

Romeo receives:
	<presence type="error" from="${Juliet's JID}"/>

Romeo receives:
	<presence type="unsubscribed" from="${Juliet's JID}"/>