diff options
author | Matthew Wild <mwild1@gmail.com> | 2023-10-26 15:14:39 +0100 |
---|---|---|
committer | Matthew Wild <mwild1@gmail.com> | 2023-10-26 15:14:39 +0100 |
commit | 18db016c2f067c9886845b7fa9614f0653eb4103 (patch) | |
tree | 07e724680b5e5012c5f6f7076bf916efc8a9b432 /core | |
parent | 4cd30325230fae9ab6945c25a5b75a3b03b3d818 (diff) | |
download | prosody-18db016c2f067c9886845b7fa9614f0653eb4103.tar.gz prosody-18db016c2f067c9886845b7fa9614f0653eb4103.zip |
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
Diffstat (limited to 'core')
0 files changed, 0 insertions, 0 deletions