RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

• SCRAM-SHA-***(-PLUS) supports #4
• State of Play scram-sasl/info#1

[fabiang]

Thank for opening this issue.

I've read a bit about this here: https://csb.stevekerrison.com/post/2022-05-scram-detail/

I've also found your issue openssl/openssl#18893 and openssl/openssl#12221. So I guess we need to wait for OpenSSL having an API to get the correct data and this also must be supported by PHP first.

[Neustradamus]

@fabiang: Thanks for your answer!

Hope that the @openssl team will see about it for all projects in the World.

[fabiang]

So I've did some research regarding this issue again. Is see that OpenSSL has SSL_export_keying_material for tls-exporter channel binding type implemented. For tls-uniquethey have SSL_get_finished/SSL_get_peer_finished available. The only thing they are missing is a simple API for both methods, right?

So this means we "only" need those methods exposed by PHPs OpenSSL extension. Python seems to have an API for this for example: https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding. For PHP we would need something like stream_socket_crypto_channel_binding(resource $stream, string $channelBindingType) which could return an object for each channel binding type available.

[Neustradamus]

@fabiang: Have you looked for tls-server-end-point too?

[fabiang]

@Neustradamus afaics it's not possible to extract cert data from an open stream in PHP. The user of this library could have to make a second connection to the server host and return the certificate data to this library. Not very practical too.