RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-exporter for TLS = 1.3

Thanks in advance.

Linked to:

• RFC 9266: Channel Bindings for TLS 1.3 support crossbar#2037

[oberstet]

Interesting! I wasn't aware of this.

Autobahn(Python) (and Crossbar.io) support WAMP authentication via WAMP-Cryptosign with TLS channel binding of type tls-unique.

WAMP-Cryptosign:

autobahn-python/autobahn/wamp/cryptosign.py

Line 394 in 9f425ff

if channel_id_type == 'tls-unique':

Twisted:

autobahn-python/autobahn/twisted/util.py

Line 134 in 9f425ff

def transport_channel_id(transport: object, is_server: bool, channel_id_type: Optional[str] = None) -> Optional[bytes]:

asyncio:

autobahn-python/autobahn/asyncio/util.py

Line 43 in 9f425ff

def transport_channel_id(transport, is_server: bool, channel_id_type: Optional[str] = None) -> bytes:

However, we don't support binding type tls-exporter yet. I've skimmed over the RFC .. it obviously seems to improve matters (complete keying material is fed to the computation of channel ID ... which seems like a good idea), plus indeed

Implementations that support channel binding over TLS 1.3 MUST implement "tls-exporter".

Now, since that new channel binding also produces 32 octet channel IDs, it is straight forward to add. However, we need upstream support .. I think .. to be able to read this id.

[Neustradamus]

@oberstet: Thanks for your quick answer :)

I have create a ticket in Crossbar too: crossbario/crossbar#2037

[oberstet]

For CPython, here is the upstream PR which would allow adding support (here in AutobahnPython and in Crossbar.io): python/cpython#95366 For PyPy, this remains to be seen ..