RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

I think that you have seen the jabber.ru MITM:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

It is needed for all SCRAM-SHA-*-PLUS (several RFCs) and specified in:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

A best SCRAM SASL and Channel Binding explanation:

• https://github.com/scram-sasl/info/issues/1

An announcement has been done by Slixmpp team here about the security problem:

• https://blog.mathieui.net/en/slixmpp-1.8.5.html

Thanks in advance.

Linked to:

• https://github.com/python/cpython/commit/d649480739dba77d9bfb1f320b52e9a838c33a05
• https://github.com/python/cpython/issues/95341
• https://github.com/python/cpython/search?q=tls-unique
• https://github.com/python/cpython/search?q=tls-server-end-point
• https://github.com/python/cpython/search?q=5929
• https://github.com/python/cpython/search?q=tls-exporter
• https://github.com/python/cpython/search?q=9266
• https://github.com/tlocke/scramp/issues/9
• • https://codeberg.org/poezio/slixmpp/issues/3498

[tiran]

Let's keep the discussion in #95341

[Neustradamus]

@tiran: Thanks!

Linked to:

• https://github.com/python/cpython/pull/95366

[Neustradamus]

All links about it:

• https://github.com/python/cpython/issues/82133
• https://github.com/python/cpython/issues/88068
• https://github.com/python/cpython/issues/95341
• https://github.com/python/cpython/pull/25255
• https://github.com/python/cpython/pull/95366
• https://bugs.python.org/issue37952
• https://bugs.python.org/issue43902

cc: @davidben, @wingel, @eighthave, @jchampio, @gst, @lowinger42, @ezio-melotti, @AlexWaygood, @njsmith, @zooba, @tlocke, @agronholm, @oberstet.

[Neustradamus]

Dear @Python team,

I have done a new ticket for the "tls-exporter", because this ticket has been closed without a security solution.

• https://github.com/python/cpython/issues/115193

The initial ticket has been created in 2022, we are in 2024, no security changes have been done.

I have done another ticket for the missing "tls-server-end-point" part too:

• https://github.com/python/cpython/issues/115195

Several projects are blocked because it is not in CPython...

It is possible to have a PR, a commit with the security solution for "tls-exporter", and another one for "tls-server-end-point"?

Thanks in advance.

[zooba]

Please use the issue you were directed to use.