Details
-
Suggestion
-
Resolution: Unresolved
-
P2: Important
-
None
-
5.9.9, 5.12.12, 5.15.14, 5.15.15, 5.15.16, 5.15.17, 5.15.18, 5.15.19, 6.0.0, 6.1.3, 6.2.6, 6.3.2, 6.4.3, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.7.0, 6.7.1, 6.7.2, 6.7.3, Some future release
-
None
-
13
-
Foundation PM Prioritized
Description
To have a better security, can you add Channel Binding support?
Channel Binding works with:
- tls-unique for TLS =< 1.2
- tls-server-end-point
- tls-exporter for TLS = 1.3
All Channel Binding parts are in RFC5929/RFC9266.
It is the -PLUS variant of different SCRAM-SHA-X
After links to RFC, XEP, etc.
---------------------------
A little part:
to get data required for channel binding QSslSocket should have API to get data from SSL_get_finished()
https://paquier.xyz/postgresql-2/channel-binding-openssl/
----------------------
You can see a not-complete list of supported softwares:
Several Qt projects are waiting since a very long time the solution from Qt.
--------------------------
With the recent jabber.ru MITM, it is important to add Channel Binding.
Microsoft uses Channel Binding
OpenSSL has functions
GnuTLS has functions
PostegreSQL uses it
OpenLDAP uses it
GSASL uses it
etc.
------------------------------
Linked to:
- RFC5801: Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family: https://tools.ietf.org/html/rfc5801 // July 2010
- RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 // July 2010
- RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056 // November 2007
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 // July 2010
- Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
- RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266 // July 2022
- XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
- XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
- XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
- XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html
- https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
SCRAM in RFC:
- https://tools.ietf.org/html/rfc5801
- https://tools.ietf.org/html/rfc5802
- https://tools.ietf.org/html/rfc5803
- https://tools.ietf.org/html/rfc6120
- https://tools.ietf.org/html/rfc6331
- https://tools.ietf.org/html/rfc7613
- https://tools.ietf.org/html/rfc8265
- https://tools.ietf.org/html/rfc8547
- https://tools.ietf.org/html/rfc8600
- https://tools.ietf.org/html/rfc6885
- https://tools.ietf.org/html/rfc7081
- https://tools.ietf.org/html/rfc7804
- https://tools.ietf.org/html/rfc8322
- https://tools.ietf.org/html/rfc8621
- https://tools.ietf.org/html/rfc9051
Drafts:
- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
- https://tools.ietf.org/html/draft-melnikov-scram-bis
- https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa
- https://tools.ietf.org/html/draft-melnikov-sasl2
Jabber.ru MITM: