bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

RFC 9266: Channel Bindings for TLS 1.3 support

Open Neustradamus opened this issue 3 years ago • 6 comments

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

  • https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

  • tls-unique for TLS =< 1.2
  • tls-exporter for TLS = 1.3

Thanks in advance.

Neustradamus avatar Jul 27 '22 13:07 Neustradamus

We can look at supporting that in TlsContext.exportChannelBinding, but it should already be possible to use TlsContext.exportKeyingMaterial (with TLS 1.3) as described in section 2 of the RFC.

Beware that TlsContext.exportKeyingMaterial was initially incorrect, and was fixed in release 1.71.

peterdettman avatar Jul 28 '22 16:07 peterdettman

@peterdettman: Thanks for your reply!

The goal is to be compatible with all, TLS =< 1.2 (tls-unique) and TLS = 1.3 (tls-exporter) to be perfect.

Of course, better to use TLS 1.3 than TLS 1.2...

It is easy to found "tls-unique": https://github.com/bcgit/bc-java/search?q=tls-unique

For example, there is: "tlsContext.exportChannelBinding(ChannelBinding.tls_unique);"

Maybe you can use the same base, and maybe you can add in the code the new RFC like RFC5929...

Neustradamus avatar Jul 28 '22 20:07 Neustradamus

I've now added support for TlsContext.exportChannelBinding(ChannelBinding.tls_exporter).

peterdettman avatar Aug 01 '22 11:08 peterdettman

@peterdettman: Thanks for your improvement!

But there is not yet in this repository to compare tls-unique vs tls-exporter :/

Unique:

  • https://github.com/bcgit/bc-java/search?q=tls-unique
  • https://github.com/bcgit/bc-java/search?q=tlsunique
  • https://github.com/bcgit/bc-java/search?q=tls_unique

Exporter:

  • https://github.com/bcgit/bc-java/search?q=tls-exporter
  • https://github.com/bcgit/bc-java/search?q=tlsexporter
  • https://github.com/bcgit/bc-java/search?q=tls_exporter

ChannelBinding:

  • https://github.com/bcgit/bc-java/search?q=ChannelBinding

Neustradamus avatar Aug 02 '22 23:08 Neustradamus

@peterdettman: GitHub has a problem about search and link to this ticket!

I have found your commits:

  • https://github.com/bcgit/bc-java/commit/1906d5e07ed11797f0c737e3764e141e6305e233
  • https://github.com/bcgit/bc-java/commit/fa01bbc2774c034616dc2ad6fbedb363454d9e16

Neustradamus avatar Aug 03 '22 14:08 Neustradamus

There is no problem. This is a mirror and takes time to update from our private repo.

peterdettman avatar Aug 03 '22 14:08 peterdettman

@peterdettman: This issue can be closed, can you do it?

Linked to:

  • https://github.com/bcgit/bc-java/commit/1906d5e07ed11797f0c737e3764e141e6305e233
  • https://github.com/bcgit/bc-java/search?q=tls-exporter&type=code

Neustradamus avatar Jan 08 '23 12:01 Neustradamus