Add support for 'tls-exporter' channel binding method

[mwild1]

Is your feature request related to a problem? Please describe.

Ejabberd has supported channel binding (SCRAM-*-PLUS) for a long time, using the tls-unique method. Unfortunately this method is not compatible with TLS 1.3, which has seen rapid adoption over the past few years.

Describe the solution you'd like

Two things need to happen:

1. ejabberd should support tls-exporter for TLS 1.3 connections, as defined by RFC 9266
2. Because multiple channel binding methods are possible, and SCRAM does not inform the client which one to use, authentication will fail if there is a mismatch. Therefore ejabberd also needs to advertise the channel binding methods in stream:features using XEP-0440. There is already a feature request at #3972 .

Additional context

Channel binding is an important defence against TLS MITM attacks, which as demonstrated in recent days are actively being used against XMPP services, and probably others.

[Neustradamus]

@mwild1: Thanks for your ticket, it is already in XMPP repository :)

Happy to see that SCRAM and TLS Channel Binding have more interest in this period.

It is linked to:

• https://github.com/processone/xmpp/issues/69
• https://github.com/processone/xmpp/issues/39
• https://github.com/processone/ejabberd/issues/2742
• https://github.com/processone/ejabberd-contrib/issues/279
• https://github.com/processone/ejabberd/issues/3971
• https://github.com/processone/ejabberd/issues/3972
• https://github.com/processone/ejabberd/issues/4112

[prefiks]

Do you guys know a client that supports this, so i would be able to test implementation for it?

[licaon-kter]

I think Conversations does since last year

[iNPUTmice]

We discovered yesterday that all released versions of Conversations only support Channel Binding when using Direct TLS so either keep that in mind when testing or use the master branch and/or contact me directly if you either need an APK or someone to test this.

[prefiks]

Commit 0bdca8fd9e50b72382152b8496b1d064f673dbcc adds this feature, i tested it with Conversation and seen that tls-exported was used with matching values.

[Neustradamus]

@prefiks: Excellent, good job! :)