diff options
| author | Kim Alvefur <zash@zash.se> | 2020-11-23 21:42:52 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2020-11-23 21:42:52 +0100 |
| commit | cc0e5dc34b53f139f9149466ab68ee731915f8c7 (patch) | |
| tree | 1a4da0d3d9c25be4b6cd838bbfc8eb6b47027d18 | |
| parent | 6d9006436eda1934c307b9688607c455b6a5054c (diff) | |
| download | prosody-cc0e5dc34b53f139f9149466ab68ee731915f8c7.tar.gz prosody-cc0e5dc34b53f139f9149466ab68ee731915f8c7.zip | |
mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)
The 'tls-unique' channel binding is undefined in TLS 1.3 according to a
single sentence in parenthesis in Apendix C of RFC 8446
This may trigger downgrade protection in clients that were expecting
channel binding to be available.
| -rw-r--r-- | plugins/mod_saslauth.lua | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index fba84ef8..333640fc 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -252,7 +252,10 @@ module:hook("stream-features", function(event) -- FIXME: would be nice to have this check only once and not for every socket if sasl_handler.add_cb_handler then local socket = origin.conn:socket(); - if socket.getpeerfinished then + local info = socket.info and socket:info(); + if info.protocol == "TLSv1.3" then + log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3"); + elseif socket.getpeerfinished then sasl_handler:add_cb_handler("tls-unique", tls_unique); end sasl_handler["userdata"] = { |