RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

• State of Play scram-sasl/info#1
• Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports #552
• RFC 9266: Channel Bindings for TLS 1.3 support #742
• RFC 9266: Channel Bindings for TLS 1.3 support cyrus-imapd#4191

cc: @simo5, @quanah, @iboukris, @hyc, @GuidoKiener, @ksmurchison, @aamelnikov, @lhoward, @dilyanpalauzov, @JanParcel, @Jakuje, @whitehse, @michael-o, @slesru, @brong.

[GuidoKiener]

Thank you for the hint.
The cyrus-sasl library already supports a generic function for channel binding (e.g. sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb). The applications (using the cyrus-sasl lib) need to add support for tls-exporter type, e.g. here: https://github.com/cyrusimap/cyrus-imapd/blob/master/imap/tls.c#L1316
Do you know of any reference implementation using the function SSL_export_keying_material(..)?

[Neustradamus]

@GuidoKiener: Thanks for your comment!

For example:

You can see the code in Mellium SASL by the author of the RFC9266:

• https://github.com/mellium/sasl/commit/00912085c89c126d442cce0c931a4dd71d356e64

Prosody IM has been updated:

• https://issues.prosody.im/1542
• https://issues.prosody.im/1760

Miranda NG has been updated:

• miranda-ng/miranda-ng@ff9679b

GNU SASL (GSASL) has been updated:

• https://git.savannah.gnu.org/gitweb/?p=gsasl.git;a=blob;f=NEWS;hb=HEAD
• https://git.savannah.gnu.org/gitweb/?p=gsasl.git;a=shortlog

glib/glib-networking has been updated, it was compatible with draft before:

• https://gitlab.gnome.org/GNOME/glib-networking/-/issues/191

[Neustradamus]

@GuidoKiener (and others): One year after, have you looked?

You can see a list with -PLUS variants here:

• State of Play scram-sasl/info#1

[GuidoKiener]

@GuidoKiener (and others): One year after, have you looked?

You can see a list with -PLUS variants here:

• State of Play scram-sasl/info#1

Thank you for pushing SCRAM-*-PLUS mechanism. I don't have any relation to the Cyrus IMAP project, but I only use the Cyrus-SASL library for the HiSLIP 2.0 project. There are other people who are maintaining Cyrus IMAP.
BTW what do you think about SCRAM-SRP? Wouldn't it be better to push this protocol? SCRAM requires strong passwords, otherwise passwords can be cracked with brute force attacks after a TLS session (provided a MITM can listen to the TLS streams).

[Neustradamus]

@GuidoKiener: SCRAM-SRP?

[GuidoKiener]

@GuidoKiener: SCRAM-SRP?

@Neustradamus Sorry, it was a typo. I wanted to ask for SASL SRP (Secure Remote Password). https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html#srp.

[Neustradamus]

Dear @cyrusimap team, @aamelnikov, @ksmurchison, @quanah, @hyc, @bgermann, @dilyanpalauzov, @iboukris, @simo5,

Can you look for Channel Binding for TLS 1.3 support?

There is a recent history with jabber.ru MITM and SCRAM-SHA-*-PLUS is the security solution!

Some sources about jabber.ru:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

• Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports #552
• RFC 9266: Channel Bindings for TLS 1.3 support #742
• RFC 9266: Channel Bindings for TLS 1.3 support cyrus-imapd#4191

[GuidoKiener]

This issue can be closed when #823 is imerged.

[quanah]

@Neustradamus As noted in #800 we need a code example for #824 to get merged. Thanks!

[Neustradamus]

@quanah: I have relaunched @aamelnikov.