Open Neustradamus opened 2 years ago
GuidoKiener
commented
2 years ago Thank you for the hint. The cyrus-sasl library already supports a generic function for channel binding (e.g. sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb). The applications (using the cyrus-sasl lib) need to add support for tls-exporter type, e.g. here: https://github.com/cyrusimap/cyrus-imapd/blob/master/imap/tls.c#L1316 Do you know of any reference implementation using the function SSL_export_keying_material(..)?
Neustradamus
commented
2 years ago @GuidoKiener: Thanks for your comment!
For example:
You can see the code in Mellium SASL by the author of the RFC9266:
Prosody IM has been updated:
Miranda NG has been updated:
GNU SASL (GSASL) has been updated:
glib/glib-networking has been updated, it was compatible with draft before:
Neustradamus
commented
1 year ago @GuidoKiener (and others): One year after, have you looked?
You can see a list with -PLUS variants here:
GuidoKiener
commented
1 year ago @GuidoKiener (and others): One year after, have you looked?
You can see a list with -PLUS variants here:
Thank you for pushing SCRAM-*-PLUS mechanism. I don't have any relation to the Cyrus IMAP project, but I only use the Cyrus-SASL library for the HiSLIP 2.0 project. There are other people who are maintaining Cyrus IMAP.
BTW what do you think about SCRAM-SRP? Wouldn't it be better to push this protocol? SCRAM requires strong passwords, otherwise passwords can be cracked with brute force attacks after a TLS session (provided a MITM can listen to the TLS streams).
Neustradamus
commented
1 year ago @GuidoKiener: SCRAM-SRP?
GuidoKiener
commented
1 year ago @GuidoKiener: SCRAM-SRP?
@Neustradamus Sorry, it was a typo. I wanted to ask for SASL SRP (Secure Remote Password). https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html#srp.
Neustradamus
commented
10 months ago Dear @cyrusimap team, @aamelnikov, @ksmurchison, @quanah, @hyc, @bgermann, @dilyanpalauzov, @iboukris, @simo5,
Can you look for Channel Binding for TLS 1.3 support?
There is a recent history with jabber.ru MITM and SCRAM-SHA-*-PLUS is the security solution!
Some sources about jabber.ru:
Thanks in advance.
Linked to:
GuidoKiener
commented
5 months ago This issue can be closed when #823 is imerged.
quanah
commented
1 month ago @Neustradamus As noted in #800 we need a code example for #824 to get merged. Thanks!
Neustradamus
commented
1 month ago @quanah: I have relaunched @aamelnikov.
Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929
Little details, to know easily:
I think that you have seen the jabber.ru MITM and Channel Binding is the solution:
Thanks in advance.
Linked to:
cc: @simo5, @quanah, @iboukris, @hyc, @GuidoKiener, @ksmurchison, @aamelnikov, @lhoward, @dilyanpalauzov, @JanParcel, @Jakuje, @whitehse, @michael-o, @slesru, @brong.