davidben
commented
8 months ago @Neustradamus please stop CC-ing me on these bugs.
Closed Neustradamus closed 8 months ago
davidben
commented
8 months ago @Neustradamus please stop CC-ing me on these bugs.
Neustradamus
commented
8 months ago @davidben: Thanks for your answer, no problem, maybe you can help me to contact the Python Security team to solve Security points?
oberstet
commented
8 months ago yeah, everybody should be using channel binding, in TLS, and in general (it is an attack vector that exists in all authentication protocols layered on encryption on lower protocols)
WAMP has this, and correctly ties it into "WAMP-Cryptosign" authentication
https://wamp-proto.org/wamp_latest_ietf.html#name-tls-channel-binding
TLS channel binding is supported in very few WAMP implementations to my knowledge, but Autobahn (client-side)
https://github.com/crossbario/autobahn-python/blob/359f868f9db410586cf01c071220994d8d7f165a/autobahn/twisted/util.py#L134 https://github.com/crossbario/autobahn-python/blob/359f868f9db410586cf01c071220994d8d7f165a/autobahn/wamp/cryptosign.py#L399
as well as Crossbar.io (router side)
https://github.com/crossbario/crossbar/blob/0089c1ef6fbbb87fc7316088a91f1859fa84eeb0/crossbar/router/auth/cryptosign.py#L59 https://github.com/crossbario/crossbar-examples/blob/aa31d9fe3abcb4b797931356b5a2ceeac64229c3/authentication/cryptosign/static/client_tx.py#L96
are 2 impls. that do.
zooba
commented
8 months ago Are you referring to SSLSocket.get_channel_binding?
Frankly, I find this bug report impossible to understand. And aggressively tagging various people on it makes me want to report you for spamming. Please don't ever do that again - the issue tags are sufficient to get the attention of the right people.
erlend-aasland
commented
8 months ago Duplicate of #95341.
erlend-aasland
commented
8 months ago @Neustradamus: Christian Heimes already asked you to keep the discussion in #95341 in https://github.com/python/cpython/issues/95350#issuecomment-1198064664. You've opened three (!) identical issues since his request. Please don't open more duplicate issues.
Neustradamus
commented
8 months ago Thanks all for comment, I will explain if you have not understand, there are several parts, please do not mix.
This ticket is for missing "tls-server-end-point" RFC5929 support, a security part, not for other.
Other part, my initial ticket for RFC9266 linked to "tls-exporter" has been closed without solution, I have done a new one to have the security solution.
It is possible to have a PR, a commit with the security solution for "tls-exporter", and another one for "tls-server-end-point"?
Thanks in advance.
Bug report
Bug description:
Dear @Python team,
Can you add "tls-server-end-point" from RFC5929?
Little details, to know easily:
An announcement has been done by Slixmpp team here about the security problem:
I think that you have seen the jabber.ru MITM:
It is needed for all SCRAM-SHA-*-PLUS (several RFCs) and specified in:
A best SCRAM SASL and Channel Binding explanation:
All links about it:
cc: @davidben, @wingel, @eighthave, @jchampio, @gst, @lowinger42, @ezio-melotti, @AlexWaygood, @njsmith, @zooba, @tlocke, @agronholm, @oberstet.
Thanks in advance.
Linked to:
CPython versions tested on:
CPython main branch
Operating systems tested on:
Other