Skip to content

Comments

Add support for XEP-440#4631

Merged
chrzaszcz merged 3 commits intomasterfrom
sasl-channel-binding
Jan 28, 2026
Merged

Add support for XEP-440#4631
chrzaszcz merged 3 commits intomasterfrom
sasl-channel-binding

Conversation

@kamilwaz
Copy link
Contributor

@kamilwaz kamilwaz commented Jan 26, 2026
edited
Loading

This PR introduces the following changes:

  • Add support for XEP-440
  • Update self-signed certificates to be compliant with iOS/macOS requirements

Requires: esl/escalus#283, esl/fast_scram#17

@kamilwaz kamilwaz self-assigned this Jan 26, 2026
@kamilwaz kamilwaz force-pushed the sasl-channel-binding branch from e664958 to ea1b785 Compare January 26, 2026 11:43
@mongoose-im
Copy link
Collaborator

mongoose-im commented Jan 26, 2026
edited
Loading

CircleCI results for ea1b785

elasticsearch_and_cassandra_latest / elasticsearch_and_cassandra_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 683 / Failed: 0 / User-skipped: 72 / Auto-skipped: 0

small_tests_latest / small_tests / 2ee3e50
Reports root / small

small_tests_legacy / small_tests / 2ee3e50
Reports root / small

small_tests_latest_arm64 / small_tests / 2ee3e50
Reports root / small

ldap_mnesia_legacy / ldap_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 2396 / Failed: 0 / User-skipped: 1414 / Auto-skipped: 0

ldap_mnesia_latest / ldap_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 2396 / Failed: 0 / User-skipped: 1414 / Auto-skipped: 0

internal_mnesia_latest / internal_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 2544 / Failed: 0 / User-skipped: 1266 / Auto-skipped: 0

dynamic_domains_mysql_redis_latest / mysql_redis / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5271 / Failed: 0 / User-skipped: 158 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_legacy / pgsql_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5307 / Failed: 0 / User-skipped: 122 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_latest / pgsql_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5307 / Failed: 0 / User-skipped: 122 / Auto-skipped: 0

pgsql_cets_latest / pgsql_cets / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5396 / Failed: 0 / User-skipped: 203 / Auto-skipped: 0

cockroachdb_cets_latest / cockroachdb_cets / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5396 / Failed: 0 / User-skipped: 203 / Auto-skipped: 0

mysql_redis_latest / mysql_redis / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5692 / Failed: 0 / User-skipped: 150 / Auto-skipped: 0

pgsql_mnesia_latest / pgsql_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5700 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

pgsql_mnesia_legacy / pgsql_mnesia / 2ee3e50
Status: 🟢 Passed
Reports root/ big
OK: 5700 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

@codecov
Copy link

codecov bot commented Jan 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.06%. Comparing base (8fa7d85) to head (2ee3e50).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4631      +/-   ##
==========================================
+ Coverage   86.03%   86.06%   +0.03%     
==========================================
  Files         566      566              
  Lines       33926    33936      +10     
==========================================
+ Hits        29187    29207      +20     
+ Misses       4739     4729      -10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kamilwaz kamilwaz force-pushed the sasl-channel-binding branch 2 times, most recently from a293707 to 6da7cbe Compare January 26, 2026 14:15
Kamil Wąż added 2 commits January 26, 2026 15:37
Make CA certificates compliant with iOS
2bfaa5c 
Apple introduced additional requirements for trusted certificates
in iOS 13 and macOS 10.15. To trust a certificate (even self-signed),
it must comply with these requirements.

Source: https://support.apple.com/en-us/103769
Add support for XEP-440
4aa6004
@kamilwaz kamilwaz force-pushed the sasl-channel-binding branch 3 times, most recently from 7e6de44 to d7b0497 Compare January 26, 2026 15:02
@kamilwaz kamilwaz marked this pull request as ready for review January 27, 2026 07:33
@kamilwaz kamilwaz force-pushed the sasl-channel-binding branch from d7b0497 to 2ec65b4 Compare January 27, 2026 11:58
@kamilwaz kamilwaz requested a review from chrzaszcz January 27, 2026 12:44
chrzaszcz
chrzaszcz reviewed Jan 27, 2026
View reviewed changes
Copy link
Member

@chrzaszcz chrzaszcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general. I added questions about downgraded deps.

@kamilwaz kamilwaz force-pushed the sasl-channel-binding branch from 2ec65b4 to 2ee3e50 Compare January 27, 2026 17:13
chrzaszcz
chrzaszcz approved these changes Jan 28, 2026
View reviewed changes
Copy link
Member

@chrzaszcz chrzaszcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@chrzaszcz chrzaszcz merged commit acf8d0e into master Jan 28, 2026
4 checks passed
@chrzaszcz chrzaszcz deleted the sasl-channel-binding branch January 28, 2026 09:45
kamilwaz pushed a commit that referenced this pull request Feb 16, 2026
Fix mongoose certs
d25d2bc 
The certificates used for MIM were broken by #4631. Erlang verifies `serverAuth` against `keyUsage`,
which causes the `ssl_certificate:verify_extkeyusage/2` function to fail.

The issue wasn't noticed immediately because the certificates are cached using a key generated by
`tools/make-certs-cache-key.sh`
@kamilwaz kamilwaz mentioned this pull request Feb 16, 2026
Merged
kamilwaz pushed a commit that referenced this pull request Feb 17, 2026
Fix mongoose certs
6ef2b00 
The certificates used for MIM were broken by #4631. Erlang verifies `serverAuth` against `keyUsage`,
which causes the `ssl_certificate:verify_extkeyusage/2` function to fail.

The issue wasn't noticed immediately because the certificates are cached using a key generated by
`tools/make-certs-cache-key.sh`
kamilwaz pushed a commit that referenced this pull request Feb 17, 2026
Fix mongoose certs
7fdf09b 
The certificates used for MIM were broken by #4631. Erlang verifies `serverAuth` against `keyUsage`,
which causes the `ssl_certificate:verify_extkeyusage/2` function to fail.

The issue wasn't noticed immediately because the certificates are cached using a key generated by
`tools/make-certs-cache-key.sh`
kamilwaz pushed a commit that referenced this pull request Feb 17, 2026
Fix mongoose certs
343e368 
The certificates used for MIM were broken by #4631. Erlang verifies `serverAuth` against `keyUsage`,
which causes the `ssl_certificate:verify_extkeyusage/2` function to fail.

The issue wasn't noticed immediately because the certificates are cached using a key generated by
`tools/make-certs-cache-key.sh`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrzaszcz chrzaszcz chrzaszcz approved these changes

Assignees

@kamilwaz kamilwaz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kamilwaz @mongoose-im @chrzaszcz