Open davidben opened 2 years ago
There are two possibilities for TLS Binding: TLS =< 1.2: RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 TLS = 1.3: RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266
Details:
Linked to:
Meh, what a mess. Thanks for notifying us, David.
I have started a PR to implement tls-exporter
on top of export keying materials API. Of course OpenSSL makes it annoyingly complicated to check for presence of ext master secret for TLS 1.2 connections. I had to fall back to SSL_ctrl
. Did I get the RFC right regarding context value? If I understand the RFC correctly, then it wants an empty context, not no context.
Of course OpenSSL makes it annoyingly complicated to check for presence of ext master secret for TLS 1.2 connections. I had to fall back to SSL_ctrl.
Hmm. Does SSL_get_extms_support
not work?
Hmm. Does SSL_get_extms_support not work?
Oh, there is a function for that? I somehow missed the fact that OpenSSL has an API function for extms...
Ah, it is implemented as a macro! That's why I could neither find a symbol in libssl nor a function in ssl/*.c
.
Yeah all the SSL_ctrl nonsense is macros. I tried to convince upstream to make them real functions, but no dice.
Looks like this Erlang library's C implementation provides an example on how to do this with OpenSSL.
I implemented this for Dovecot SASL (in a feature branch) and to my frustration our python-based CI environment cannot be used to test it. I could test it against gsasl, which works fine.
Dear all,
I think that you have seen the jabber.ru MITM:
@stephanbosch: You have done a lot of work about SCRAM in the past in Dovecot project, I am happy to see that you are on it, I can not wait to add Dovecot SASL in the list about -PLUS variants :)
Yes @prefiks has done improvements on it recently. A lot of softwares support all possibilities for Channel Binding.
It is important to know that it is needed for all SCRAM-SHA-*-PLUS (several RFCs listed in previous link) and specified in:
Thanks in advance.
PS: SCRAM has replaced old and unsecure DIGEST-MD5 and CRAM-MD5 which are in obsolete since 2011.
Quickly patched python to run my CI test with tls-exporter channel binding support. This works. I have no idea of overall Python C coding, documentation and other steps needed to add a new Python feature and little time right now to dive into that. So, rather than a pull request, I've attached a patch to this comment which you can use as a starting point to add this for real.
Oh and it looks like I messed up the white space a bit.
@stephanbosch: Have you seen this not-recent PR (but not merged)?
@stephanbosch: Have you seen this not-recent PR (but not merged)?
* [gh-95341: Implement tls-exporter channel bindings and export key materials #95366](https://github.com/python/cpython/pull/95366)
No. That pr is a bit difficult to follow for me. Only the last commit makes sense to me. Anyway, judging by that last commit it seems to be on track for something that will work.
You can test interoperability with GnuSASL/GnuTLS; Dovecot support for tls-exporter and SCRAM-*-PLUS has low priority, so even though it is pretty much implemented, getting that merged will take some time.
Dear @python team,
It is possible to look for @tiran PR:
Security is important!
Several projects/products wait you...
CPython's
get_channel_binding
method implements the tls-unique channel binding for TLS 1.3: https://github.com/python/cpython/blob/main/Lib/test/test_ssl.py#L671-L681 https://github.com/python/cpython/blob/main/Modules/_ssl.c#L2705But this is incorrect. tls-unique is vulnerable to a couple of attacks (3SHAKE, SLOTH), so it was left undefined in TLS 1.3. RFC 9266 defines a replacement tls-exporter binding, built with Export Keying Material instead.