diff options
author | Kim Alvefur <zash@zash.se> | 2020-11-23 21:42:52 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2020-11-23 21:42:52 +0100 |
commit | f994abaed6dbd21b40ecef0aec2f5ab3c6a521b9 (patch) | |
tree | 1a4da0d3d9c25be4b6cd838bbfc8eb6b47027d18 | |
parent | 15a1cfbde626b4d8fd416e28a6827899b5bf6763 (diff) | |
download | prosody-f994abaed6dbd21b40ecef0aec2f5ab3c6a521b9.tar.gz prosody-f994abaed6dbd21b40ecef0aec2f5ab3c6a521b9.zip |
mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
The 'tls-unique' channel binding is undefined in TLS 1.3 according to a
single sentence in parenthesis in Apendix C of RFC 8446
This may trigger downgrade protection in clients that were expecting
channel binding to be available.
-rw-r--r-- | plugins/mod_saslauth.lua | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index fba84ef8..333640fc 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -252,7 +252,10 @@ module:hook("stream-features", function(event) -- FIXME: would be nice to have this check only once and not for every socket if sasl_handler.add_cb_handler then local socket = origin.conn:socket(); - if socket.getpeerfinished then + local info = socket.info and socket:info(); + if info.protocol == "TLSv1.3" then + log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); + elseif socket.getpeerfinished then sasl_handler:add_cb_handler("tls-unique", tls_unique); end sasl_handler["userdata"] = { |