I understand now. Thank you very much. > On Jul 18, 2016, at 12:17 AM, Sam Whited <[email protected]> wrote: > > On Sat, Jul 16, 2016 at 6:33 PM, Anmol Sethi <[email protected]> wrote: >> I noticed the TLSUnique field of tls.ConnectionState. >> >> https://golang.org/pkg/crypto/tls/#ConnectionState >> >> I tried to read RFC 5056 and 5929 but I still do not understand its purpose. >> >> What exactly does it accomplish? Why would we want to use it? > > > The tls-unique channel binding value is the bytes of the last TLS > finished message sent during TLS negotiation. They're used to uniquely > identify a specific TLS session. This can be useful to bind a security > layer (TLS) to an application layer authenticated session (eg. SASL). > This way if we've authed with SASL and we lose our connection and > then use TLS resumption to resume it, the server can see that we had > an authenticated connection over that particular TLS session and go > ahead and resume that too (without our application having to > reauthenticate). > > An example of this particular scenario can be found in the SASL > package that I've been working on in my spare time recently (fair > warning, the API is about to change again to defer providing > credentials until the last possible moment and I've done almost no > optimization, this package isn't ready to actually be used yet): > > https://godoc.org/mellium.im/sasl > > As the comments say, vulnerabilities have been found in the tls-unique > mechanism, so until the TLS master-secret fix (see RFC 7627) is in > widespread use tls-unique is actually a rather useless channel binding > mechanism. > > Best, > Sam > > > -- > Sam Whited > pub 4096R/54083AE104EA7AD3 > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout.
-- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
