[issue12551] Provide data for TLS channel binding
Jacek Konieczny
report at bugs.python.org
Wed Jul 13 13:33:25 CEST 2011
New submission from Jacek Konieczny <jajcus at jajcus.net>:
Recently IETF encourages using of the SCRAM-SHA-1-PLUS SASL authentication mechanism (5802) in new protocols. That is a requirement e.g. of the current XMPP specification (RFC6120). Any compliant implementation needs to support the 'SCRAM-SHA-1-PLUS' mechanism, and that requires obtaining the 'tls-unique' channel-binding data from a TLS connection used. Python doesn't provide this information and it seems the only detail stopping anyone from fully implementing XMPP or SCRAM-SHA-1-PLUS alone in Python.
The 'tls-unique' channel binding is defined as:
> Description: The first TLS Finished message sent (note: the Finished
> struct, not the TLS record layer message containing it) in the most
> recent TLS handshake of the TLS connection being bound to
…and is (they say), available via OpenSSL API. This should be exposed by the python SSLSocket object too.
The other channel-binding data type, 'tls-server-end-point' can be computed using current Python API, but it is not enough for most uses ('tls-unique' is the required channel binding data in most cases) and still not trivial (one needs to ASN.1-decode the certificate to get the hash function name to compute proper digest).
----------
components: Library (Lib)
messages: 140247
nosy: Jajcus
priority: normal
severity: normal
status: open
title: Provide data for TLS channel binding
type: feature request
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12551>
_______________________________________
More information about the Python-bugs-list
mailing list