mod_tls: Record STARTTLS state so it can be shown in Shell This field can be viewed using s2s:show(nil, "... starttls") even without any special support in mod_admin_shell, which can be added later to make it nicer. One can then assume that a TLS connection with an empty / nil starttls field means Direct TLS.

net.resolvers.basic: Add opt-out argument for DNSSEC security status This makes explicit which lookups can accept an unsigned response. Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as security would come from TLS, but an insecure TLSA record is worthless.

Merge 0.12->trunk

mod_storage_sql: Fix summary API with Postgres (fixes #1766) The ORDER BY and LIMIT clauses are not needed and don't even make much sense. This part was most likely a leftover from the :find method. Tested with sqlite and postgres 14

storage tests: Add test for the archive:summary API Passes with memory, internal, sqlite Fails with postgres as in #1766

mod_http_files: Log warning about legacy modules using mod_http_files It is time. Most community modules should have been adjusted to work with the new (net.http.files) way. At some point this usage should be prevented. Related to #1765

util.sasl.scram: Add 'tls-exporter' as recognised channel binding method The last missing piece of #1760, otherwise SCRAM-SHA-*-PLUS is not actually advertised.

Merge 0.12->trunk

mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760) Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187

mod_bookmarks: Reduce error about not having bookmarks to debug (thanks tom) This is happens if the account is new and doesn't have any bookmarks yet, which is not a problem. Rarely seen since most clients currently use the older version of XEP-0084 stored in XEP-0049 rather than in PEP, but at least one (Converse.js )does. One scenario in which this would show up often is with Converse.js as a guest chat using anonymous authentication, where all "accounts" would always be new and not have any bookmarks. This scenario probably does not need to have mod_bookmarks at all, but if enabled globally it would likely become loaded onto the VirtualHost unless explicitly disabled.