Closed mwild1 closed 7 months ago
@mwild1: Thanks for your ticket, it is already in XMPP repository :)
Happy to see that SCRAM and TLS Channel Binding have more interest in this period.
It is linked to:
Do you guys know a client that supports this, so i would be able to test implementation for it?
I think Conversations does since last year
We discovered yesterday that all released versions of Conversations only support Channel Binding when using Direct TLS so either keep that in mind when testing or use the master branch and/or contact me directly if you either need an APK or someone to test this.
Commit 0bdca8fd9e50b72382152b8496b1d064f673dbcc adds this feature, i tested it with Conversation and seen that tls-exported was used with matching values.
@prefiks: Excellent, good job! :)
Is your feature request related to a problem? Please describe.
Ejabberd has supported channel binding (SCRAM-*-PLUS) for a long time, using the
tls-unique
method. Unfortunately this method is not compatible with TLS 1.3, which has seen rapid adoption over the past few years.Describe the solution you'd like
Two things need to happen:
tls-exporter
for TLS 1.3 connections, as defined by RFC 9266Additional context
Channel binding is an important defence against TLS MITM attacks, which as demonstrated in recent days are actively being used against XMPP services, and probably others.