RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Bug report

Bug description:

Dear @Python team,

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

A best SCRAM SASL and Channel Binding explanation:

• https://github.com/scram-sasl/info/issues/1

An announcement has been done by Slixmpp team here about the security problem:

• https://blog.mathieui.net/en/slixmpp-1.8.5.html

I think that you have seen the jabber.ru MITM:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Can you add "tls-server-end-point" from RFC5929 too?

• https://datatracker.ietf.org/doc/html/rfc5929

It is needed for all SCRAM-SHA-*-PLUS (several RFCs) and specified in:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

All links about it:

• https://github.com/python/cpython/issues/95350
• https://github.com/tlocke/scramp/issues/9
• https://codeberg.org/poezio/slixmpp/issues/3498
• https://github.com/python/cpython/issues/82133
• https://github.com/python/cpython/issues/88068
• https://github.com/python/cpython/issues/95341
• https://github.com/python/cpython/pull/25255
• https://github.com/python/cpython/pull/95366
• https://bugs.python.org/issue37952
• https://bugs.python.org/issue43902

cc: @davidben, @wingel, @eighthave, @jchampio, @gst, @lowinger42, @ezio-melotti, @AlexWaygood, @njsmith, @zooba, @tlocke, @agronholm, @oberstet.

Thanks in advance.

Linked to:

• https://github.com/python/cpython/commit/d649480739dba77d9bfb1f320b52e9a838c33a05
• https://github.com/python/cpython/search?q=tls-unique
• https://github.com/python/cpython/search?q=tls-server-end-point
• https://github.com/python/cpython/search?q=5929
• https://github.com/python/cpython/search?q=tls-exporter
• https://github.com/python/cpython/search?q=9266

CPython versions tested on:

CPython main branch

Operating systems tested on:

Other

[erlend-aasland]

Duplicate of #95341.

[zooba]

This looks like a feature request, as we don't currently claim to support this RFC at all.

But again, I find this report hard to understand. Perhaps showing an example of the Python code you would like to write but currently cannot would be helpful?

(Reopening for now, because this is a different RFC from the other issue. Though they are painfully similar in text, which I hope we can get clarifications on.)

[zooba]

Ah nope, I see it's a duplicate of an even older issue that does cover both. Carry on!

[Neustradamus]

@erlend-aasland, @zooba: Thanks for your answer.

Yes, it is a duplicate of https://github.com/python/cpython/issues/95350 because the ticket has been closed without the solution, the RFC9266 support.

This ticket is for "tls-exporter" support.

Several projects wait you, example:

• https://github.com/tlocke/scramp/issues/9
• https://codeberg.org/poezio/slixmpp/issues/3498

The recent Slixmpp announcement about the problem in CPython is here:

• https://blog.mathieui.net/en/slixmpp-1.8.5.html
• https://codeberg.org/poezio/slixmpp/issues/3498

Please do not mix this ticket with another, the specified ticket here speaks about the "tls-unique" problem which must not work with TLS 1.3, not directly the RFC9266 missing support:

• https://github.com/python/cpython/issues/95341

And there is another ticket for "tls-server-end-point" missing support here:

• https://github.com/python/cpython/issues/115195

It is possible to have a PR, a commit with the security solution for "tls-exporter", and another one for "tls-server-end-point"?

Thanks in advance.

[zooba]

95341 is still open. Please use that issue.