RFC 9266: Channel Bindings for TLS 1.3 support

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.

https://www.trustedfirmware.org/projects/mbed-tls/

Other

5.2k stars 2.54k forks source link

RFC 9266: Channel Bindings for TLS 1.3 support #6150

Open Neustradamus opened 2 years ago

Neustradamus commented 2 years ago

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

tls-unique for TLS =< 1.2
tls-server-end-point
tls-exporter for TLS = 1.3

Thanks in advance.

Neustradamus commented 1 year ago

@yanesca, @valeriosetti: Maybe you can look on this?

Thanks in advance.

gilles-peskine-arm commented 1 year ago

@Neustradamus Please don't ping random people (especially people who aren't working on related features).

What can help prioritize a feature request is: where is this used? Is it required by some standard? What other products support it?

Neustradamus commented 1 year ago

Some examples:

Mellium: https://github.com/mellium/sasl/blob/main/CHANGELOG.md#v030--2022-08-15 + https://github.com/mellium/xmpp/blob/main/CHANGELOG.md#v0213--2022-08-18
GnuTLS: https://github.com/gnutls/gnutls/search?q=tls-exporter
Glib: https://github.com/GNOME/glib/search?q=tls-exporter&type=commits
glib-networking: https://github.com/GNOME/glib-networking/search?p=5&q=tls-exporter
GNU SASL: https://github.com/jas4711/gsasl/blob/master/NEWS#L31
Bouncy Castle: https://github.com/bcgit/bc-java/search?q=tls-exporter
Prosody IM: https://github.com/bjc/prosody/blob/master/CHANGES#L31
Jackal IM: https://github.com/ortuman/jackal/search?q=tls-exporter
Indimail: https://github.com/search?q=user%3Ambhangui+tls-exporter&type=code
Racket: https://github.com/racket/racket/commit/4c83cb14ffbc401481e994c454ccdcc1a0e02d18

Neustradamus commented 10 months ago

Dear all,

I have update the main description about tls-unique, tls-server-end-point, tls-exporter and I have added XEP-0388/XEP-0440/XEP-0474 links.

I think that you have seen the jabber.ru MITM: