RFC 9266: Channel Bindings for TLS 1.3 support

Started by * Neustradamus *4 months ago36 messages

neustradamus@hotmail.com

4 months ago

Dear PostgreSQL team, dear all,

In 2022, I have contacted PostgreSQL team about Channel Binding:
- https://www.postgresql.org/search/?m=1&q=tls-exporter&l=&d=-1&s=i

We are in 2025, I relaunch the subject because several developers always say me: "it is not supported by PostgreSQL".

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
- https://datatracker.ietf.org/doc/html/rfc9266

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

- XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
- XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
- XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
- XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:
- tls-unique for TLS =< 1.2 (RFC5929)
- tls-server-end-point =< 1.2 + 1.3 (RFC5929)
- tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, it is time to add it:
- https://notes.valdikss.org.ru/jabber.ru-mitm/
- https://snikket.org/blog/on-the-jabber-ru-mitm/
- https://www.devever.net/~hl/xmpp-incident
- https://blog.jmp.chat/b/certwatch/certwatch

Linked to:
- Channel Binding: https://github.com/scram-sasl/info/issues/1

Thanks in advance.

Regards,

Neustradamus

Heikki Linnakangas

heikki.linnakangas@enterprisedb.com

4 months ago

In reply to: * Neustradamus * (#1)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On 20/11/2025 22:58, * Neustradamus * wrote:

Dear PostgreSQL team, dear all,

In 2022, I have contacted PostgreSQL team about Channel Binding:
- https://www.postgresql.org/search/?m=1&q=tls-exporter&l=&d=-1&s=i

We are in 2025, I relaunch the subject because several developers always say me: "it is not supported by PostgreSQL".

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
- https://datatracker.ietf.org/doc/html/rfc9266

I think that would be great. Patches are welcome!

The tricky part is probably going to be to make the protocol changes in
a way that is both backwards-compatible and as secure as possible. But
I'm sure it can be done.

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

- XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
- XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
- XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
- XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:
- tls-unique for TLS =< 1.2 (RFC5929)
- tls-server-end-point =< 1.2 + 1.3 (RFC5929)
- tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, it is time to add it:
- https://notes.valdikss.org.ru/jabber.ru-mitm/
- https://snikket.org/blog/on-the-jabber-ru-mitm/
- https://www.devever.net/~hl/xmpp-incident
- https://blog.jmp.chat/b/certwatch/certwatch

PostgreSQL does support channel binding, with tls-server-end-point. I
believe that sufficient to prevent an attack like that. (Assuming that
it's configured correctly, but that's an issue of insecure defaults
rather than a missing feature).

What are the benefits of tls-exporter over tls-server-end-point? I agree
it would be good to support tls-exporter, since RFC9266 specifies it as
mandatory for channel binding over TLS 1.3. But aside from the RFC, is
there some practical difference?

- Heikki

Jacob Champion

jacob.champion@enterprisedb.com

4 months ago

In reply to: * Neustradamus * (#1)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Thu, Nov 20, 2025 at 12:59 PM * Neustradamus *
<neustradamus@hotmail.com> wrote:

In 2022, I have contacted PostgreSQL team about Channel Binding:
- https://www.postgresql.org/search/?m=1&q=tls-exporter&l=&d=-1&s=i

There was some initial work there [1]/messages/by-id/YwxWWQR6uwWHBCbQ@paquier.xyz, but we'd still need to figure
out channel binding negotiation, which seems like something we should
not be on the bleeding edge of.

I still wish we'd made endpoint binding opt-in, but that's water under
the bridge. The binding "infrastructure", such as it is, isn't really
in a healthy place right now (as you've seen [2]https://mailarchive.ietf.org/arch/msg/kitten/zpesKSHsiuy1RvhPlbSUGajLbKQ/), and I think we need
SASL to give us additional agility before we can really make progress.

We are in 2025, I relaunch the subject because several developers always say me: "it is not supported by PostgreSQL".

...who says that?

- XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html

That says
WARNING: This Standards-Track document is Experimental.
Publication as an XMPP Extension Protocol does not imply approval of
this proposal by the XMPP Standards Foundation.
and
In the long term the author strives to publish this as an RFC
rather than a XEP to also make this protection available to other
protocols, after gaining implementation experience.
and
If [an RFC is published for this] implementations SHOULD NOT
implement this XEP and SHOULD implement the superseding RFC instead.

So we should probably not implement production features based on it.

Linked to:
- Channel Binding: https://github.com/scram-sasl/info/issues/1

(Looks like you're on thin ice with several of the projects listed
there. Please treat other OSS communities with respect, and don't spam
their repositories.)

Thanks,
--Jacob

[1]: /messages/by-id/YwxWWQR6uwWHBCbQ@paquier.xyz
[2]: https://mailarchive.ietf.org/arch/msg/kitten/zpesKSHsiuy1RvhPlbSUGajLbKQ/

Jacob Champion

jacob.champion@enterprisedb.com

4 months ago

In reply to: Heikki Linnakangas (#2)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Thu, Nov 20, 2025 at 1:52 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote:

PostgreSQL does support channel binding, with tls-server-end-point. I
believe that sufficient to prevent an attack like that.

No, IIRC unique bindings (-unique and -exporter) prevent MITM even if
the attacker has the server's private key, as long as they do not also
possess the SCRAM verifiers. tls-server-end-point does not prevent
against that (so you can terminate TLS on a different node from the
verifiers).

--Jacob

* Neustradamus *

neustradamus@hotmail.com

4 months ago

In reply to: Heikki Linnakangas (#2)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

Dear Heikki,

Thanks for your answer.

Several people would like to deprecate "tls-server-end-point" (RFC 5929) like Simon Josefsson (author of several RFCs) because RFC 9266 exists since July 2022:
- https://mailarchive.ietf.org/arch/msg/kitten/zpesKSHsiuy1RvhPlbSUGajLbKQ/
- https://datatracker.ietf.org/person/Simon%20Josefsson

For example, he is the GNU SASL maintainer and he does not want to add tls-server-end-point support:
- https://gitlab.com/gsasl/gsasl/-/issues/13

Other talks about tls-server-end-point:
- https://mailarchive.ietf.org/arch/browse/kitten/?q=tls-server-end-point&gbt=1&index=
- https://mail.jabber.org/hyperkitty/search?count=200&q=tls-server-end-point&page=1&mlist=standards%40xmpp.org&sort=date-asc
- https://mailarchive.ietf.org/arch/browse/tls/?q=tls-server-end-point&gbt=1&index=

So it is really important to support "tls-exporter".

Regards,

Neustradamus

________________________________________
From: Heikki Linnakangas <hlinnaka@iki.fi>
Sent: Thursday, November 20, 2025 22:52
To: * Neustradamus *; PostgreSQL Hackers
Subject: Re: RFC 9266: Channel Bindings for TLS 1.3 support

On 20/11/2025 22:58, * Neustradamus * wrote:

Dear PostgreSQL team, dear all,

In 2022, I have contacted PostgreSQL team about Channel Binding:
- https://www.postgresql.org/search/?m=1&q=tls-exporter&l=&d=-1&s=i

We are in 2025, I relaunch the subject because several developers always say me: "it is not supported by PostgreSQL".

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?
- https://datatracker.ietf.org/doc/html/rfc9266

I think that would be great. Patches are welcome!

The tricky part is probably going to be to make the protocol changes in
a way that is both backwards-compatible and as secure as possible. But
I'm sure it can be done.

Channel Bindings for TLS: https://datatracker.ietf.org/doc/html/rfc5929

- XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
- XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
- XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
- XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:
- tls-unique for TLS =< 1.2 (RFC5929)
- tls-server-end-point =< 1.2 + 1.3 (RFC5929)
- tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, it is time to add it:
- https://notes.valdikss.org.ru/jabber.ru-mitm/
- https://snikket.org/blog/on-the-jabber-ru-mitm/
- https://www.devever.net/~hl/xmpp-incident
- https://blog.jmp.chat/b/certwatch/certwatch

- Heikki

Heikki Linnakangas

heikki.linnakangas@enterprisedb.com

4 months ago

In reply to: Jacob Champion (#4)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On 20/11/2025 23:59, Jacob Champion wrote:

On Thu, Nov 20, 2025 at 1:52 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote:

PostgreSQL does support channel binding, with tls-server-end-point. I
believe that sufficient to prevent an attack like that.

No, IIRC unique bindings (-unique and -exporter) prevent MITM even if
the attacker has the server's private key, as long as they do not also
possess the SCRAM verifiers. tls-server-end-point does not prevent
against that (so you can terminate TLS on a different node from the
verifiers).

If I understood the incident correctly, the attacker managed to somehow
obtain a valid TLS certificate for the victim domain. They used that to
perform a MITM attack. They did not have the server's private key. (Or
if they did, they did not use that for the attack).

That's an advantage in general though, even if it wouldn't have made a
difference in this instance. So fair point.

- Heikki

* Neustradamus *

neustradamus@hotmail.com

4 months ago

In reply to: Jacob Champion (#3)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

Dear Jacob Champion,

Thanks for your answer.

Links of XEPs are here to confirm that "tls-exporter" is needed and already used.

XEPs are already supported by a lot of projects/softwares/companies in production, for example on GitHub, we can see:
- https://github.com/search?q=XEP-0480+-repo%3Axsf%2Fxeps+-repo%3Axsf%2Fxep-attic+-repo%3Axsf%2Fxmpp.org&type=code
- https://github.com/search?q=XEP-0388+-repo%3Axsf%2Fxeps+-repo%3Axsf%2Fxep-attic+-repo%3Axsf%2Fxmpp.org&type=code
- https://github.com/search?q=XEP-0440+-repo%3Axsf%2Fxeps+-repo%3Axsf%2Fxep-attic+-repo%3Axsf%2Fxmpp.org&type=code
- https://github.com/search?q=XEP-0474+-repo%3Axsf%2Fxeps+-repo%3Axsf%2Fxep-attic+-repo%3Axsf%2Fxmpp.org&type=code

XEP-0001 specify "Experimental" states:
- https://xmpp.org/extensions/xep-0001.html#states-Experimental

At the same time, about these XEPs, it is the base of the "draft-melnikov-sasl2" done by Alexey Melnikov (author of several RFCs):
- https://datatracker.ietf.org/doc/html/draft-melnikov-sasl2
- https://datatracker.ietf.org/person/Alexey%20Melnikov

I have informed several projects about SCRAM-SHA-*, SCRAM-SHA-*-PLUS (SCRAM-SHA-* with Channel Binding), and Channel Binding since a very long time.
The support of different SCRAM versions and/or different Channel Binding versions have been added in a lot of projects/softwares/libraries with success.
Of course, it is not yet perfect everywhere.
The security is important.

Other GitHub searches in code (Good commented source codes are good):
- tls-server-end-point: https://github.com/search?q=tls-server-end-point&type=code
- tls-exporter: https://github.com/search?q=tls-exporter&type=code
- rfc5929: https://github.com/search?q=rfc5929&type=code
- rfc9266: https://github.com/search?q=rfc9266&type=code
- rfc 5929: https://github.com/search?q=%22rfc+5929%22&type=code
- rfc 9266: https://github.com/search?q=%22rfc+9266%22&type=code

For more informations to all, I can add Wikipedia links about Salted Challenge Response Authentication Mechanism (SCRAM) and Channel Binding:
- https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
- https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism#Channel_binding

Note: Channel Binding is not only linked to SCRAM.

Regards,

Neustradamus

________________________________________
From: Jacob Champion <jacob.champion@enterprisedb.com>
Sent: Thursday, November 20, 2025 22:52
To: * Neustradamus *
Cc: PostgreSQL Hackers
Subject: Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Thu, Nov 20, 2025 at 12:59 PM * Neustradamus *
<neustradamus@hotmail.com> wrote:

In 2022, I have contacted PostgreSQL team about Channel Binding:
- https://www.postgresql.org/search/?m=1&q=tls-exporter&l=&d=-1&s=i

We are in 2025, I relaunch the subject because several developers always say me: "it is not supported by PostgreSQL".

...who says that?

- XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html

So we should probably not implement production features based on it.

Linked to:
- Channel Binding: https://github.com/scram-sasl/info/issues/1

(Looks like you're on thin ice with several of the projects listed
there. Please treat other OSS communities with respect, and don't spam
their repositories.)

Thanks,
--Jacob

[1]: /messages/by-id/YwxWWQR6uwWHBCbQ@paquier.xyz
[2]: https://mailarchive.ietf.org/arch/msg/kitten/zpesKSHsiuy1RvhPlbSUGajLbKQ/

Jacob Champion

jacob.champion@enterprisedb.com

4 months ago

In reply to: Heikki Linnakangas (#6)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Fri, Nov 21, 2025 at 12:46 AM Heikki Linnakangas <hlinnaka@iki.fi> wrote:

If I understood the incident correctly, the attacker managed to somehow
obtain a valid TLS certificate for the victim domain. They used that to
perform a MITM attack. They did not have the server's private key. (Or
if they did, they did not use that for the attack).

Oh! Thank you for pointing that out. Yeah, having the private key for
*a* host certificate shouldn't help you if it doesn't have the same
public fingerprint as the one in use at the peer. (I'm not sure I
really internalized that distinction before.)

--Jacob

Jacob Champion

jacob.champion@enterprisedb.com

4 months ago

In reply to: * Neustradamus * (#7)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On Fri, Nov 21, 2025 at 12:49 AM * Neustradamus *
<neustradamus@hotmail.com> wrote:

At the same time, about these XEPs, it is the base of the "draft-melnikov-sasl2" done by Alexey Melnikov (author of several RFCs):
- https://datatracker.ietf.org/doc/html/draft-melnikov-sasl2

Right, but even that draft says

All of the features below are optional (in order to remain backward
compatible with RFC 4422). However if any is implemented, all of
them MUST be implemented in a protocol. This makes client
implementations easier.

So even if we were to charge ahead and assume that the XEP
implementation is exactly what's going to be standardized in a future
version of SASL, we're still introducing interoperability pain if we
don't do other currently-experimental things too.

In the past, we've said that we're going to wait for published RFCs,
and I think that's served us well. We just need to keep an eye on what
the Kitten WG is up to.

That doesn't stop anyone from maintaining a patchset that tracks the
state of the drafts, though. It's only a barrier to getting it
committed and released.

Thanks,
--Jacob

#10

Daniel Gustafsson

daniel@yesql.se

4 months ago

In reply to: Jacob Champion (#9)

Re: RFC 9266: Channel Bindings for TLS 1.3 support

On 21 Nov 2025, at 17:38, Jacob Champion <jacob.champion@enterprisedb.com> wrote:

In the past, we've said that we're going to wait for published RFCs,
and I think that's served us well.

I am a strong supporter of this strategy.

--
Daniel Gustafsson