RFC 9266: Channel Bindings for TLS 1.3
Categories
(NSS :: Libraries, enhancement, P5)
Tracking
(Not tracked)
People
(Reporter: Neustradamus, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Steps to reproduce:
Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
Little details, to know easily:
- tls-unique for TLS =< 1.2
- tls-exporter for TLS = 1.3
Thanks in advance.
Actual results:
No support.
Expected results:
Have the support.
Comment 1•1 year ago
|
||
NSS supports TLS exporters and so can provide the "EXPORTER-Channel-Binding" exporter that is defined in RFC 9266. See SSL_ExportKeyingMaterial.
I don't think there are any plans to support 'tls-unique'. For one, it doesn't work for TLS 1.2. The 'tls-exporter' binding works in TLS 1.2, so it is a better choice. I know that SCRAM demands that TLS 1.2 implementations implement 'tls-unique', but that is - in my opinion anyway - driven more by a desire to keep from changing the requirements for those who implemented the bindings for TLS 1.2 prior to RFC 9266.
If you have a need for 'tls-unique' in TLS 1.2, then please open a different bug for that. The Mozilla team probably won't prioritize it, but we might be willing to review a patch.
Reporter | ||
Comment 2•6 months ago
|
||
There was a jabber.ru (and xmpp.ru) MITM. Security is important and Channel Binding is the solution.
Can you add the support to have SCRAM-SHA-*-PLUS?
It is for all protocols.
Some sources:
- https://notes.valdikss.org.ru/jabber.ru-mitm/
- https://snikket.org/blog/on-the-jabber-ru-mitm/
- https://www.devever.net/~hl/xmpp-incident
- https://blog.jmp.chat/b/certwatch
Thanks in advance.
Linked to:
- https://bugzilla.mozilla.org/show_bug.cgi?id=563276
- https://bugzilla.mozilla.org/show_bug.cgi?id=1267649
- https://bugzilla.mozilla.org/show_bug.cgi?id=1577688
- https://bugzilla.mozilla.org/show_bug.cgi?id=1579638
- https://bugzilla.mozilla.org/show_bug.cgi?id=1597102
- https://bugzilla.mozilla.org/show_bug.cgi?id=1597103
- https://bugzilla.mozilla.org/show_bug.cgi?id=1597106
- https://bugzilla.mozilla.org/show_bug.cgi?id=1597113
- https://bugzilla.mozilla.org/show_bug.cgi?id=1807870
- https://bugzilla.mozilla.org/show_bug.cgi?id=1862728
- https://bugzilla.mozilla.org/show_bug.cgi?id=1862729
Description
•