Matthew Wild <mwild1@gmail.com> [Thu, 26 Oct 2023 15:14:39 +0100] rev 13293
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
Matthew Wild <mwild1@gmail.com> [Thu, 26 Oct 2023 14:40:48 +0100] rev 13292
mod_saslauth: Fix traceback in tls-server-end-point channel binding
Kim Alvefur <zash@zash.se> [Thu, 26 Oct 2023 13:29:28 +0200] rev 13291
mod_admin_shell: Make 'Role' column dynamically sized
Some of the new roles don't quite fit nicely into 4 characters
(excluding ellipsis). Given the ability to dynamically add additional
roles from the config and possibly from modules, it seems better to just
make it a relative size since we can't know how long they will be.
Matthew Wild <mwild1@gmail.com> [Tue, 24 Oct 2023 09:24:01 +0100] rev 13290
mod_saslauth: Actively close cert file after reading
Explicit > implicit
Matthew Wild <mwild1@gmail.com> [Tue, 24 Oct 2023 09:23:31 +0100] rev 13289
mod_saslauth: Fix read format string (thanks tmolitor)
Kim Alvefur <zash@zash.se> [Sun, 22 Oct 2023 18:58:02 +0200] rev 13288
mod_cron: Make task frequencies configurable in overly generic manner
Requested feature for many modules, notably MAM and file sharing.
Kim Alvefur <zash@zash.se> [Sun, 22 Oct 2023 18:57:28 +0200] rev 13287
mod_cron: Fix missing restore method in Teal record definition
Kim Alvefur <zash@zash.se> [Sun, 22 Oct 2023 19:00:24 +0200] rev 13286
CHANGES: Mention 'tls-server-end-point'
Kim Alvefur <zash@zash.se> [Sun, 23 Oct 2022 02:49:05 +0200] rev 13285
mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API
MattJ contributed new APIs for retrieving the actually used certificate
and chain to LuaSec, which are not in a release at the time of this
commit.
Matthew Wild <mwild1@gmail.com> [Wed, 07 Sep 2022 11:29:00 +0100] rev 13284
mod_c2s: Add session.ssl_cfg/ssl_ctx for direct TLS connections