File

mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).

local s_char = string.char;
local s_format = string.format;
local s_gsub = string.gsub;
local s_lower = string.lower;

local char_to_hex = {};
local hex_to_char = {};

do
	local char, hex;
	for i = 0,255 do
		char, hex = s_char(i), s_format("%02x", i);
		char_to_hex[char] = hex;
		hex_to_char[hex] = char;
	end
end

local function to(s)
	return (s_gsub(s, ".", char_to_hex));
end

local function from(s)
	return (s_gsub(s_lower(s), "%X*(%x%x)%X*", hex_to_char));
end

return {
	encode = to, decode = from;
	-- COMPAT w/pre-0.12:
	to = to, from = from;
};