tls-server-end-point RFC5929 (Channel Binding) missing support

[Neustradamus]

Bug report

Bug description:

Dear @python team,

Can you add "tls-server-end-point" from RFC5929?

• https://datatracker.ietf.org/doc/html/rfc5929

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

An announcement has been done by Slixmpp team here about the security problem:

• https://blog.mathieui.net/en/slixmpp-1.8.5.html

I think that you have seen the jabber.ru MITM:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

It is needed for all SCRAM-SHA-*-PLUS (several RFCs) and specified in:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

A best SCRAM SASL and Channel Binding explanation:

• State of Play scram-sasl/info#1

All links about it:

• RFC 9266: Channel Bindings for TLS 1.3 support #115193
• RFC 9266: Channel Bindings for TLS 1.3 support #95350
• Support the tls-exporter channel binding tlocke/scramp#9
• https://codeberg.org/poezio/slixmpp/issues/3498
• Add support for export_keying_material to SSL library #82133
• ssl module: add getter for SSL_CTX* and SSL* #88068
• ssl module incorrectly supports tls-unique channel binding for TLS 1.3 #95341
• bpo-37952: SSL: add support for export_keying_material #25255
• gh-95341: Implement tls-exporter channel bindings and export key materials #95366
• https://bugs.python.org/issue37952
• https://bugs.python.org/issue43902

cc: @davidben, @wingel, @eighthave, @jchampio, @gst, @lowinger42, @ezio-melotti, @AlexWaygood, @njsmith, @zooba, @tlocke, @agronholm, @oberstet.

Thanks in advance.

Linked to:

• d649480
• https://github.com/python/cpython/search?q=tls-unique
• https://github.com/python/cpython/search?q=tls-server-end-point
• https://github.com/python/cpython/search?q=5929
• https://github.com/python/cpython/search?q=tls-exporter
• https://github.com/python/cpython/search?q=9266

CPython versions tested on:

CPython main branch

Operating systems tested on:

Other

[davidben]

@Neustradamus please stop CC-ing me on these bugs.

[Neustradamus]

@davidben: Thanks for your answer, no problem, maybe you can help me to contact the Python Security team to solve Security points?

[oberstet]

yeah, everybody should be using channel binding, in TLS, and in general (it is an attack vector that exists in all authentication protocols layered on encryption on lower protocols)

WAMP has this, and correctly ties it into "WAMP-Cryptosign" authentication

https://wamp-proto.org/wamp_latest_ietf.html#name-tls-channel-binding

TLS channel binding is supported in very few WAMP implementations to my knowledge, but Autobahn (client-side)

https://github.com/crossbario/autobahn-python/blob/359f868f9db410586cf01c071220994d8d7f165a/autobahn/twisted/util.py#L134
https://github.com/crossbario/autobahn-python/blob/359f868f9db410586cf01c071220994d8d7f165a/autobahn/wamp/cryptosign.py#L399

as well as Crossbar.io (router side)

https://github.com/crossbario/crossbar/blob/0089c1ef6fbbb87fc7316088a91f1859fa84eeb0/crossbar/router/auth/cryptosign.py#L59
https://github.com/crossbario/crossbar-examples/blob/aa31d9fe3abcb4b797931356b5a2ceeac64229c3/authentication/cryptosign/static/client_tx.py#L96

are 2 impls. that do.

[zooba]

Are you referring to SSLSocket.get_channel_binding?

Frankly, I find this bug report impossible to understand. And aggressively tagging various people on it makes me want to report you for spamming. Please don't ever do that again - the issue tags are sufficient to get the attention of the right people.

[erlend-aasland]

Duplicate of #95341.

[erlend-aasland]

@Neustradamus: Christian Heimes already asked you to keep the discussion in #95341 in #95350 (comment). You've opened three (!) identical issues since his request. Please don't open more duplicate issues.

[Neustradamus]

Thanks all for comment, I will explain if you have not understand, there are several parts, please do not mix.

This ticket is for missing "tls-server-end-point" RFC5929 support, a security part, not for other.

Other part, my initial ticket for RFC9266 linked to "tls-exporter" has been closed without solution, I have done a new one to have the security solution.

• Initial which has been closed a long time ago: RFC 9266: Channel Bindings for TLS 1.3 support #95350
• The new one: RFC 9266: Channel Bindings for TLS 1.3 support #115193

It is possible to have a PR, a commit with the security solution for "tls-exporter", and another one for "tls-server-end-point"?

Thanks in advance.