aboutsummaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2023-10-26 15:14:39 +0100
committerMatthew Wild <mwild1@gmail.com>2023-10-26 15:14:39 +0100
commit18db016c2f067c9886845b7fa9614f0653eb4103 (patch)
tree07e724680b5e5012c5f6f7076bf916efc8a9b432 /core
parent4cd30325230fae9ab6945c25a5b75a3b03b3d818 (diff)
downloadprosody-18db016c2f067c9886845b7fa9614f0653eb4103.tar.gz
prosody-18db016c2f067c9886845b7fa9614f0653eb4103.zip
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).
Diffstat (limited to 'core')
0 files changed, 0 insertions, 0 deletions