RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Dear @qxmpp-project team,

I add this ticket for memory and Qt security improvements.

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html (https://github.com/qxmpp-project/qxmpp/issues/606 + https://github.com/qxmpp-project/qxmpp/pull/607)
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

• https://github.com/scram-sasl/info/issues/1
• https://github.com/qxmpp-project/qxmpp/issues/177
• https://github.com/qxmpp-project/qxmpp/issues/319
• https://github.com/qxmpp-project/qxmpp/issues/591

[Neustradamus]

@lnjX: Thanks for the adding of SASL2: XEP-0388: Extensible SASL Profile: https://github.com/qxmpp-project/qxmpp/pull/607 (https://github.com/qxmpp-project/qxmpp/issues/606)