Get channel binding binding information for TLS connection #44
Conversation
Test channel binding.
| @@ -1416,6 +1416,33 @@ def set_session(self, session): | |||
| if not result: | |||
| _raise_current_error() | |||
|
|
|||
| def get_channel_binding(self, cb_type="tls-unique"): | |||
There was a problem hiding this comment.
All pyOpenSSL APIs should have a docstring explaining what they are for, what their parameters mean, and what they return and raise.
Also please expand abbreviations. I think that "cb" is short for "channel binding"? You can probably just call this "type" here. Alternatively, "channel_binding_type" or "binding_type".
Also please declare a constant for magic strings like "tls-unique" so that applications don't have to be careful to spell a string literal just right.
|
Thanks. I've left some inline comments. Two more things:
Thanks again! |
|
The code in cryptography has been merged only recently http://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding |
Channel Bindings for TLS (RFC 5929, RFC 5056). Channel Bindings for TLS is very usefull because it can be used to detect MiTM attacks when the attacker is using valid certificates (certificates signed by Certification Authority).
For example: if a XMPP client is connecting to a XMPP server and the SCRAM-SHA-1-PLUS authentication mechanism is used during login (RFC 5802), the login will fail in the presence of MiTM attacker, because the TLS channel binding data is used in calculation of password hashes.
The method get_channel_binding supports only "tls-unique" channel binding. It can used the same way as get_channel_binding() in Python 3 ssl module.
http://docs.python.org/3/library/ssl.html