#1760 Implement tls-exporter channel binding for TLS 1.3

Reporter Sam
Owner Zash
Stars ★ (1)
  • Status-Started
  • Type-Enhancement
  • Priority-Medium
  1. Sam on

    Description of feature: Implement the TLS 1.3 channel bindings currently defined in https://datatracker.ietf.org/doc/draft-ietf-kitten-tls-channel-bindings-for-tls13/ (in RFC publication queue, it is unlikely that any changes will be made before the final document is ready). Motivation: (Why?) Prosody currently implements the tls-unique channel binding for SCRAM authentication, however, it suffers from a few potential problems described in the document linked above and is not defined at all for TLS 1.3. To perform channel binding with TLS 1.3, a new mechanism is needed. I propose that only when TLS 1.3 is in use tls-exporter becomes the channel binding method of choice. For any prior version of TLS, tls-unique can continue to be used.

  2. Zash on

    Submitted https://github.com/brunoos/luasec/pull/187 binding the relevant OpenSSL method. Prosody side work-in-progress in timber.

    • tags Status-Started
    • owner Zash

New comment

Not published. Used for spam prevention and optional update notifications.