File

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).

local data_path = "../../data";

local vhost = {
	"accounts",
	"account_details",
	"roster",
	"vcard",
	"private",
	"blocklist",
	"privacy",
	"archive-archive",
	"offline-archive",
	"pubsub_nodes-pubsub",
	"pep-pubsub",
}
local muc = {
	"persistent",
	"config",
	"state",
	"muc_log-archive",
};

input {
	hosts = {
		["example.com"] = vhost;
		["conference.example.com"] = muc;
	};
	type = "internal";
	path = data_path;
}

output {
	type = "sql";
	driver = "SQLite3";
	database = data_path.."/prosody.sqlite";
}

--[[

input {
	type = "internal";
	path = data_path;
}
output {
	type = "sql";
	driver = "SQLite3";
	database = data_path.."/prosody.sqlite";
}

]]