This series introduces support for SASL-External (over TLS) as mandated by RFC6120 and adds ability to use TLS-Offload (eg with ha-proxy or nginx) which could be used for XEP-0368. That is similar to LegacySSL but with ability to delegate SSL (pretend it is enabled). To maintain at least some security it's done only for unix-domain sockets (so offloader should run on the same machine).
Additionally introduces some new controls over TLS (min proto now configurable, cert+key pair is validated before attempting to use it) and to force ssl over s2s.
Finally some fixes in IQ::reply (for s2s we need to deliver), Log (utf8 over socket) and tests.
This series introduces support for SASL-External (over TLS) as mandated by RFC6120 and adds ability to use TLS-Offload (eg with ha-proxy or nginx) which could be used for XEP-0368. That is similar to LegacySSL but with ability to delegate SSL (pretend it is enabled). To maintain at least some security it's done only for unix-domain sockets (so offloader should run on the same machine). Additionally introduces some new controls over TLS (min proto now configurable, cert+key pair is validated before attempting to use it) and to force ssl over s2s. Finally some fixes in IQ::reply (for s2s we need to deliver), Log (utf8 over socket) and tests.