RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

• SCRAM-SHA-***(-PLUS) supports #4
• State of Play scram-sasl/info#1

[fabiang]

Thank for opening this issue.

I've read a bit about this here: https://csb.stevekerrison.com/post/2022-05-scram-detail/

I've also found your issue openssl/openssl#18893 and openssl/openssl#12221. So I guess we need to wait for OpenSSL having an API to get the correct data and this also must be supported by PHP first.

[Neustradamus]

@fabiang: Thanks for your answer!

Hope that the @openssl team will see about it for all projects in the World.

[fabiang]

So I've did some research regarding this issue again. Is see that OpenSSL has SSL_export_keying_material for tls-exporter channel binding type implemented. For tls-uniquethey have SSL_get_finished/SSL_get_peer_finished available. The only thing they are missing is a simple API for both methods, right?

So this means we "only" need those methods exposed by PHPs OpenSSL extension. Python seems to have an API for this for example: https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding. For PHP we would need something like stream_socket_crypto_channel_binding(resource $stream, string $channelBindingType) which could return an object for each channel binding type available.

[Neustradamus]

@fabiang: Have you looked for tls-server-end-point too?

[fabiang]

@Neustradamus afaics it's not possible to extract cert data from an open stream in PHP. The user of this library could have to make a second connection to the server host and return the certificate data to this library. Not very practical too.

[stevekerrison]

Raises head above cubicle

Hello there!

If I can summarise where things seem to be so far and see if I understand correctly:

• You'd like RFC 9266 channel bindings in this SASL library
• To do that requires the library have access to tls-exporter data
• OpenSSL has that capability through SSL_export_keying_material
• The PHP module for OpenSSL doesn't expose this, however.
• There'd still be some work to do in this library to ensure that the keying material is safe to use (i.e. is over TLS1.3, or if <1.3 renegotiation is disabled and unique master key is guaranteed).

Is that correct?

So aside from using the exported material properly, the main need seems to be to expose SSL_export_keying_material then the sasl library can take it from there.

Have you considered opening an issue against php/php-src, then once that's done the rest can be handled here? I had a search over there and couldn't seem to find any issue related to exposing this function.

While this subject matter does interest me, I'm not an active developer in PHP libraries or the PHP source so I'm not sure I'm the best person to contribute as I have no vested interest in the two projects.

[fabiang]

@stevekerrison I've just checked if channel binding would be possible with PHP 8.4.0 RC4. Unfortunately this is still not the case, since there are still the APIs missing to accomplish this. Therefore you're completely right and my statements above are also still correct. I've opened an issue at php/php-src#16766, so let's hope this will be implemented.

[Neustradamus]

@fabiang: Thanks for your PHP ticket :)

[stevekerrison]

It was @fabiang, not me! :)

[Neustradamus]

Yes, @fabiang sorry!