RFC 9266: Channel Bindings for TLS 1.3 support #73118
Comments
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
ghost
added
the
|
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsDescriptionCan you add the support of RFC 9266: Channel Bindings for TLS 1.3? Little details, to know easily:
Thanks in advance. Linked to: Reproduction StepsPlease read the RFC9266. Expected behaviorPlease read the RFC9266. Actual behaviorPlease read the RFC9266. Regression?No response Known WorkaroundsNo response ConfigurationNo response Other informationNo response
|
|
@wfurt, @aik-jahoda, @filipnavara, @hughbe: What do you think? I have added some info in the main ticket. |
|
not in 7.0. We may look into it in 8.0. On Windows this comes from schannel. We will need to check what is supported there. |
|
Dear @dotnet team, Have you progressed on it? |
|
no, but we may during 9.0. On Windows, this could just work as we depends on schannel implementation. It will need some more research and testing. What is your intended use case @Neustradamus ? |
|
Dear all @dotnet team, Any news of this security missing problem? Thanks in advance. Where I can send an email to security Microsoft team? |
|
Hi, I'm the author of MailKit and @Neustradamus has asked me to comment here, although I don't think my comment will go the way he expects. It appears that @Neustradamus goes around to every single project on GitHub that supports any mode of SASL authentication and requests that they implement support for all of the (numerous) SCRAM-SHA-* authentication mechanisms combined with the channel binding support that the When he asked me to implement Foolishly, I wasted a ton of time implementing all of the SCRAM mechanisms and channel binding support for Now I see that not a single human being is asking for SCRAM on any of these products other than @Neustradamus himself, which leads me to conclude that there is absolutely no organic demand for it anywhere. I'm sure @Neustradamus has all of the best intentions, but I wish that he realized how much wasted effort he is causing for developers across a wide variety of projects that might be better off focusing their effort on other things that matter more. In conclusion, this is all about checking a checkbox and nothing more as far as I can tell. My recommendation would be to wait and see if there is any actual organic demand for it. That's my plan from here on out. Edit: This was an interesting read on the topic of SCRAM: https://blog.josefsson.org/2021/06/08/whats-wrong-with-scram/ |
|
@jstedfast: SCRAM-SHA-1, SCRAM-SHA-1-PLUS, SCRAM-SHA-256, SCRAM-SHA-256-PLUS have been added in GNU SASL by @jas4711, the author of your latest link. You can see a lot of information about SCRAM and Channel Binding and a list of supported projects: Old and unsecure mechanisms like CRAM-MD5 and DIGEST-MD5 have been removed from Cyrus SASL and Cyrus IMAP in master code. You can see that Cyrus SASL/IMAP, Dovecot, Exim support SCRAM-SHA-*-PLUS and several other softwares, look the uncomplete list. |
|
thanks for the feedback @jstedfast. I'll ping Windows TLS team to see what is their take on it. |
|
@wfurt: Thanks for your ping to Windows TLS team! I hope a security solution soon. It is linked to Microsoft Channel Binding: It is needed to have a compatibility with:
|
Description
Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
Little details, to know easily:
Thanks in advance.
Linked to:
Reproduction Steps
Please read the RFC9266.
Expected behavior
Please read the RFC9266.
Actual behavior
Please read the RFC9266.
Regression?
No response
Known Workarounds
No response
Configuration
No response
Other information
No response
The text was updated successfully, but these errors were encountered: