Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: RFC 9266: Channel Bindings for TLS 1.3 support #54103

Open
Neustradamus opened this issue Jul 28, 2022 · 7 comments
Open

crypto/tls: RFC 9266: Channel Bindings for TLS 1.3 support #54103

Neustradamus opened this issue Jul 28, 2022 · 7 comments
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@Neustradamus
Copy link

Neustradamus commented Jul 28, 2022
edited

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

Little details, to know easily:

  • tls-unique for TLS =< 1.2
  • tls-server-end-point
  • tls-exporter for TLS = 1.3

Thanks in advance.
@ianlancetaylor
Copy link
Contributor

CC @golang/security @FiloSottile

@cherrymui cherrymui changed the title RFC 9266: Channel Bindings for TLS 1.3 support crypto/tls: RFC 9266: Channel Bindings for TLS 1.3 support Jul 28, 2022
@cherrymui
Copy link
Member

I guess this will be added to the crypto/tls package? What would the support look like? Thanks.

@cherrymui cherrymui added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. FeatureRequest labels Jul 28, 2022
@cherrymui cherrymui added this to the Backlog milestone Jul 28, 2022
@cpuschma cpuschma mentioned this issue Aug 1, 2022
Open
@Neustradamus
Copy link
Author

@cherrymui: Yes :)

It is linked to:

cc: @agl, @andres-erbsen, @FiloSottile, @codesenberg, @seankhliao.

@Neustradamus
Copy link
Author

Dear all,

I have update the main description about tls-unique, tls-server-end-point, tls-exporter and I have added XEP-0388/XEP-0440/XEP-0474 links.

I think that you have seen the jabber.ru MITM:

@FiloSottile
Copy link
Contributor

RFC 9266, Section 2, says

"tls-exporter" uses Exported Keying Material (EKM), which is already widely exposed by TLS implementations

Indeed, we already support EKM via ConnectionState.ExportKeyingMaterial.

What do you need us to change in crypto/tls?

@Neustradamus
Copy link
Author

@FiloSottile: Thanks for your answer but there is not an announcement in code: RFC5929 / RFC9266
And I do not find:

  • tls-unique
  • tls-server-end-point
  • tls-exporter

Example GnuTLS:

@morphf
Copy link

morphf commented Jan 29, 2024

Is there an update on this?

@Neustradamus Neustradamus mentioned this issue Jan 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@Neustradamus @FiloSottile @ianlancetaylor @cherrymui @morphf