-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC 9266: Channel Bindings for TLS 1.3 support #484
Comments
Sure, do you have an actual OCaml library or packet that would benefit from this directly? I don't like to work on something that is there just for implementing some RFC, but has no actual users. As I understand it, for TLS 1.3 this is a no-opt (since #482 was merged) -- for TLS <= 1.2 there is still something to do (the |
@hannesm: You have the choice to have the support of all possibilies like other softwares do:
There is this project but @alexeyshch has stopped the devel of new features but it is up-to-date: Some OCaml projects: |
@hannesm: Have you looked to add missing 2 parts?
|
Dear @Neustradamus, thanks again for opening the issue. I finally worked on the implenentation -- it is in #496. Do you have at hand either test vectors or some easy-to-test mechanism with the different channel binding types? The API for a user is (please let me know if you consider this to be suitable) (** [channel_binding epoch_data mode] is the RFC 5929 and RFC 9266 specified channel binding.
Please note that [`Tls_unique] will error for TLS 1.3 sessions, and [`Tls_exporter] is not
recommended for TLS < 1.3 sessions (unless the uniqueness is ensured via another path). *)
val channel_binding : Core.epoch_data -> [ `Tls_exporter | `Tls_unique | `Tls_server_endpoint ]
-> (Cstruct.t, [ `Msg of string ]) result |
@hannesm: Nice, good job! Have you looked for jackline? :) @ermine, @pukkamustard, @Jehan, @alexeyshch: What do you think? It must work with:
|
Thanks for your references. Unfortunately all the xmpp servers I have accounts on don't provide the XEP 440 capability https://xmpp.org/extensions/xep-0440.html -- I also ran short on implementing scram. But since I need to cut a release for another bugfix, I merged the channel binding PR to avoid having many open PRs. |
@hannesm: I think that you can test with https://movim.eu/ :) |
CHANGES: * tls: documentation: clarify send_application_data (mirleft/ocaml-tls#492 @reynir) * BUGFIX: tls: export_key_material was wrong for the server side on TLS 1.3, reported in robur-coop/miragevpn#181 by @reynir, fix in mirleft/ocaml-tls#495 @hannesm * FEATURE: tls: add channel_binding (RFC 5929, RFC 9266) support (tls_unique, tls_exporter, tls_server_endpoint), requested by @Neustradamus in mirleft/ocaml-tls#484, added in mirleft/ocaml-tls#496 by @hannesm
Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
Little details, to know easily:
I think that you have seen the jabber.ru MITM and Channel Binding is the solution:
Thanks in advance.
Linked to:
The text was updated successfully, but these errors were encountered: