strophejs icon indicating copy to clipboard operation
strophejs copied to clipboard
verified publisher icon strophe

RFC 9266: Channel Bindings for TLS 1.3 support

Open Neustradamus opened this issue 3 years ago • 0 comments

Dear @strophe team,

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

  • https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

  • XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
  • XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
  • XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
  • XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

  • tls-unique for TLS =< 1.2 (RFC5929)
  • tls-server-end-point =< 1.2 + 1.3 (RFC5929)
  • tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, it is time to add it:

  • https://notes.valdikss.org.ru/jabber.ru-mitm/
  • https://snikket.org/blog/on-the-jabber-ru-mitm/
  • https://www.devever.net/~hl/xmpp-incident
  • https://blog.jmp.chat/b/certwatch/certwatch

Thanks in advance.

Linked to:

  • Channel Binding: https://github.com/scram-sasl/info/issues/1
  • https://github.com/strophe/strophejs/issues/314
  • https://github.com/strophe/strophejs/issues/696

Neustradamus avatar Aug 02 '22 21:08 Neustradamus