-
-
Notifications
You must be signed in to change notification settings - Fork 30.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl module incorrectly supports tls-unique channel binding for TLS 1.3 #95341
Comments
There are two possibilities for TLS Binding: Details:
Linked to: |
Meh, what a mess. Thanks for notifying us, David. I have started a PR to implement |
Hmm. Does |
Oh, there is a function for that? I somehow missed the fact that OpenSSL has an API function for extms... |
Ah, it is implemented as a macro! That's why I could neither find a symbol in libssl nor a function in |
Yeah all the SSL_ctrl nonsense is macros. I tried to convince upstream to make them real functions, but no dice. |
Looks like this Erlang library's C implementation provides an example on how to do this with OpenSSL. I implemented this for Dovecot SASL (in a feature branch) and to my frustration our python-based CI environment cannot be used to test it. I could test it against gsasl, which works fine. |
Dear all, I think that you have seen the jabber.ru MITM:
@stephanbosch: You have done a lot of work about SCRAM in the past in Dovecot project, I am happy to see that you are on it, I can not wait to add Dovecot SASL in the list about -PLUS variants :) Yes @prefiks has done improvements on it recently. It is important to know that it is needed for all SCRAM-SHA-*-PLUS (several RFCs listed in previous link) and specified in:
Thanks in advance. PS: SCRAM has replaced old and unsecure DIGEST-MD5 and CRAM-MD5 which are in obsolete since 2011. |
Quickly patched python to run my CI test with tls-exporter channel binding support. This works. I have no idea of overall Python C coding, documentation and other steps needed to add a new Python feature and little time right now to dive into that. So, rather than a pull request, I've attached a patch to this comment which you can use as a starting point to add this for real. Oh and it looks like I messed up the white space a bit. |
@stephanbosch: Have you seen this not-recent PR (but not merged)? |
No. That pr is a bit difficult to follow for me. Only the last commit makes sense to me. Anyway, judging by that last commit it seems to be on track for something that will work. You can test interoperability with GnuSASL/GnuTLS; Dovecot support for tls-exporter and SCRAM-*-PLUS has low priority, so even though it is pretty much implemented, getting that merged will take some time. |
…o as to get channel binding data for the current SSL session (only the "tls-unique" channel binding is implemented). This allows the implementation of certain authentication mechanisms such as SCRAM-SHA-1-PLUS. Patch by Jacek Konieczny.
CPython's
get_channel_binding
method implements the tls-unique channel binding for TLS 1.3:https://github.com/python/cpython/blob/main/Lib/test/test_ssl.py#L671-L681
https://github.com/python/cpython/blob/main/Modules/_ssl.c#L2705
But this is incorrect. tls-unique is vulnerable to a couple of attacks (3SHAKE, SLOTH), so it was left undefined in TLS 1.3. RFC 9266 defines a replacement tls-exporter binding, built with Export Keying Material instead.
The text was updated successfully, but these errors were encountered: