don't advertise SASL EXTERNAL to clients who aren't using native TLS

ergochat / ergo

A modern IRC server (daemon/ircd) written in Go.

https://ergo.chat/

MIT License

2.26k stars 179 forks source link

don't advertise SASL EXTERNAL to clients who aren't using native TLS #774

Open slingamn opened 4 years ago

slingamn commented 4 years ago

This is advertised as the value of the sasl cap. Currently the value is hardcoded: sasl=PLAIN,EXTERNAL. If there is no native TLS listener (even if TLS Is still available via external termination) , EXTERNAL cannot be used, so it shouldn't be advertised.

slingamn commented 4 years ago

Technically this should depend on which listener the client is connected to, but...meh.

slingamn commented 3 years ago

Not sure it's worth doing this halfway. Let's do this right (advertisement should depend on whether the client's certfp is actually visible to oragono) and kick the can down the road until we feel like doing it correctly.

slingamn commented 2 years ago

From discussion in #ircv3, it's better if the condition checked here is "is the client connected via a native TLS listener?"

I wrote a fix for this:

https://github.com/ergochat/ergo/tree/devel+issue774

but I am not merging it because I'm not convinced the increased technical debt is worthwhile. Maybe we'll revisit this after #1782.