Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TODO: add TLS channel binding #13483

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+18 −0
Open

TODO: add TLS channel binding #13483

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 18 additions & 0 deletions docs/TODO
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@
13.14 Support the clienthello extension
13.15 Select signature algorithms
13.16 QUIC peer verification with wolfSSL
13.17 TLS channel binding

14. GnuTLS
14.2 check connection
Expand Down Expand Up @@ -927,6 +928,23 @@
Peer certificate verification is missing in the QUIC (ngtcp2) implementation
using wolfSSL.

13.17 TLS channel binding

TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS
connection and use it in the client request (usually in some sort of
authentication) to ensure that the data sent is bound to the specific TLS
connection and cannot be successfully intercepted by a proxy. This
functionality can be used in a standard authentication mechanism such as
GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication
headers.

For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is
tls-exporter.

https://datatracker.ietf.org/doc/html/rfc5929
https://datatracker.ietf.org/doc/html/rfc9266
https://github.com/curl/curl/issues/9226

14. GnuTLS

14.2 check connection
Expand Down