Software / code / prosody
Changeset
11212:1bfd238e05ad 0.11
mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
The 'tls-unique' channel binding is undefined in TLS 1.3 according to a
single sentence in parenthesis in Apendix C of RFC 8446
This may trigger downgrade protection in clients that were expecting
channel binding to be available.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 23 Nov 2020 21:42:52 +0100 |
| parents | 11210:75636bf13bf0 |
| children | 11213:992c4498a1e3 |
| files | plugins/mod_saslauth.lua |
| diffstat | 1 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_saslauth.lua Mon Nov 23 20:38:51 2020 +0000 +++ b/plugins/mod_saslauth.lua Mon Nov 23 21:42:52 2020 +0100 @@ -252,7 +252,10 @@ -- FIXME: would be nice to have this check only once and not for every socket if sasl_handler.add_cb_handler then local socket = origin.conn:socket(); - if socket.getpeerfinished then + local info = socket.info and socket:info(); + if info.protocol == "TLSv1.3" then + log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); + elseif socket.getpeerfinished then sasl_handler:add_cb_handler("tls-unique", tls_unique); end sasl_handler["userdata"] = {
