Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for 'tls-exporter' channel binding method #4105

Closed
mwild1 opened this issue Oct 23, 2023 · 6 comments
Closed

Add support for 'tls-exporter' channel binding method #4105

mwild1 opened this issue Oct 23, 2023 · 6 comments
Assignees
@prefiks
Labels
Kind:Feature
Milestone
ejabberd 24.02

Comments

@mwild1
Copy link

mwild1 commented Oct 23, 2023

Is your feature request related to a problem? Please describe.

Ejabberd has supported channel binding (SCRAM-*-PLUS) for a long time, using the tls-unique method. Unfortunately this method is not compatible with TLS 1.3, which has seen rapid adoption over the past few years.

Describe the solution you'd like

Two things need to happen:

  1. ejabberd should support tls-exporter for TLS 1.3 connections, as defined by RFC 9266
  2. Because multiple channel binding methods are possible, and SCRAM does not inform the client which one to use, authentication will fail if there is a mismatch. Therefore ejabberd also needs to advertise the channel binding methods in stream:features using XEP-0440. There is already a feature request at XEP-0440: SASL Channel-Binding Type Capability support #3972 .

Additional context

Channel binding is an important defence against TLS MITM attacks, which as demonstrated in recent days are actively being used against XMPP services, and probably others.
@prefiks prefiks self-assigned this Oct 23, 2023
@Neustradamus
Copy link
Contributor

Neustradamus commented Oct 24, 2023
edited
Loading

@mwild1: Thanks for your ticket, it is already in XMPP repository :)

Happy to see that SCRAM and TLS Channel Binding have more interest in this period.

It is linked to:

@prefiks
Copy link
Member

prefiks commented Oct 24, 2023

Do you guys know a client that supports this, so i would be able to test implementation for it?

@licaon-kter
Copy link
Contributor

I think Conversations does since last year

@iNPUTmice
Copy link

We discovered yesterday that all released versions of Conversations only support Channel Binding when using Direct TLS so either keep that in mind when testing or use the master branch and/or contact me directly if you either need an APK or someone to test this.

@prefiks
Copy link
Member

prefiks commented Oct 25, 2023

Commit 0bdca8f adds this feature, i tested it with Conversation and seen that tls-exported was used with matching values.

@Neustradamus
Copy link
Contributor

@prefiks: Excellent, good job! :)

@badlop badlop added this to the ejabberd 23.xx milestone Oct 27, 2023
This was referenced Nov 1, 2023
Closed
Closed
Closed
Closed
@prefiks prefiks closed this as completed Dec 15, 2023
@badlop badlop modified the milestones: ejabberd 24.xx, ejabberd 24.02 Feb 27, 2024
@mdosch mdosch mentioned this issue May 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prefiks prefiks

Labels
Kind:Feature
Projects
None yet
Milestone
ejabberd 24.02
Development

No branches or pull requests
6 participants
@mwild1 @prefiks @badlop @Neustradamus @iNPUTmice @licaon-kter