prosody
38c95544b7ee
util/watchdog.lua
Software / code / prosody
File
util/watchdog.lua @ 13289:38c95544b7ee
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 26 Oct 2023 15:14:39 +0100 |
| parent | 12975:d10957394a3c |
line wrap: on
line source
local timer = require "prosody.util.timer"; local setmetatable = setmetatable; local _ENV = nil; -- luacheck: std none local watchdog_methods = {}; local watchdog_mt = { __index = watchdog_methods }; local function new(timeout, callback) local watchdog = setmetatable({ timeout = timeout; callback = callback; timer_id = nil; }, watchdog_mt); watchdog:reset(); -- Kick things off return watchdog; end function watchdog_methods:reset(new_timeout) if new_timeout then self.timeout = new_timeout; end if self.timer_id then timer.reschedule(self.timer_id, self.timeout+1); else self.timer_id = timer.add_task(self.timeout+1, function () return self:callback(); end); end end function watchdog_methods:cancel() if self.timer_id then timer.stop(self.timer_id); self.timer_id = nil; end end return { new = new; };
