From 18db016c2f067c9886845b7fa9614f0653eb4103 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Thu, 26 Oct 2023 15:14:39 +0100 Subject: mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server). --- plugins/mod_c2s.lua | 7 ------- 1 file changed, 7 deletions(-) (limited to 'plugins/mod_c2s.lua') diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua index d6c8a7b8..6587aa68 100644 --- a/plugins/mod_c2s.lua +++ b/plugins/mod_c2s.lua @@ -11,11 +11,9 @@ module:set_global(); local add_task = require "prosody.util.timer".add_task; local new_xmpp_stream = require "prosody.util.xmppstream".new; local nameprep = require "prosody.util.encodings".stringprep.nameprep; -local certmanager = require "prosody.core.certmanager"; local sessionmanager = require "prosody.core.sessionmanager"; local statsmanager = require "prosody.core.statsmanager"; local st = require "prosody.util.stanza"; -local pm_get_tls_config_at = require "core.portmanager".get_tls_config_at; local sm_new_session, sm_destroy_session = sessionmanager.new_session, sessionmanager.destroy_session; local uuid_generate = require "prosody.util.uuid".generate; local async = require "prosody.util.async"; @@ -309,11 +307,6 @@ function listener.onconnect(conn) if conn:ssl() then session.secure = true; session.encrypted = true; - - local server = conn:server(); - local tls_config = pm_get_tls_config_at(server:ip(), server:serverport()); - local autocert = certmanager.find_host_cert(session.conn:socket():getsniname()); - session.ssl_cfg = autocert or tls_config; session.ssl_ctx = conn:sslctx(); -- Check if TLS compression is used -- cgit v1.2.3