RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-exporter for TLS = 1.3

Thanks in advance.

Linked to:

• https://github.com/crossbario/crossbar/issues/2037

[oberstet]

Interesting! I wasn't aware of this.

Autobahn(Python) (and Crossbar.io) support WAMP authentication via WAMP-Cryptosign with TLS channel binding of type tls-unique.

WAMP-Cryptosign:

https://github.com/crossbario/autobahn-python/blob/9f425ff5792348c2f6dc3e7c3297c82f7fb5e793/autobahn/wamp/cryptosign.py#L394

Twisted:

https://github.com/crossbario/autobahn-python/blob/9f425ff5792348c2f6dc3e7c3297c82f7fb5e793/autobahn/twisted/util.py#L134

asyncio:

https://github.com/crossbario/autobahn-python/blob/9f425ff5792348c2f6dc3e7c3297c82f7fb5e793/autobahn/asyncio/util.py#L43

However, we don't support binding type tls-exporter yet. I've skimmed over the RFC .. it obviously seems to improve matters (complete keying material is fed to the computation of channel ID ... which seems like a good idea), plus indeed

Implementations that support channel binding over TLS 1.3 MUST implement "tls-exporter".

Now, since that new channel binding also produces 32 octet channel IDs, it is straight forward to add. However, we need upstream support .. I think .. to be able to read this id.

[Neustradamus]

@oberstet: Thanks for your quick answer :)

I have create a ticket in Crossbar too: https://github.com/crossbario/crossbar/issues/2037

[oberstet]

For CPython, here is the upstream PR which would allow adding support (here in AutobahnPython and in Crossbar.io): https://github.com/python/cpython/pull/95366 For PyPy, this remains to be seen ..