File

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).

-- Prosody IM
-- Copyright (C) 2008-2011 Florian Zeitz
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
-- luacheck: ignore 113/setfenv 113/loadstring

local load = load;
local io_open = io.open;

local function envload(code, source, env)
	return load(code, source, nil, env);
end

local function envloadfile(file, env)
	local fh, err, errno = io_open(file);
	if not fh then return fh, err, errno; end
	local f, err = load(fh:lines(2048), "@" .. file, nil, env);
	fh:close();
	return f, err;
end

return { envload = envload, envloadfile = envloadfile };