mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_saslauth: Disable 'tls-unique' channel binding with TLS 1.3 (closes #1542)

Browse source 
The 'tls-unique' channel binding is undefined in TLS 1.3 according to a
single sentence in parenthesis in Apendix C of RFC 8446

This may trigger downgrade protection in clients that were expecting
channel binding to be available.
This commit is contained in:
Kim Alvefur 2020-11-23 21:42:52 +01:00
parent 6d9006436e
commit cc0e5dc34b
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
plugins/mod_saslauth.lua
View file

@ -252,7 +252,10 @@ module:hook("stream-features", function(event)
-- FIXME: would be nice to have this check only once and not for every socket
if sasl_handler.add_cb_handler then
local socket = origin.conn:socket();
if socket.getpeerfinished then
local info = socket.info and socket:info();
if info.protocol == "TLSv1.3" then
log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
elseif socket.getpeerfinished then
sasl_handler:add_cb_handler("tls-unique", tls_unique);
end
sasl_handler["userdata"] = {