New submission from Jacek Konieczny <jaj...@jajcus.net>:
Recently IETF encourages using of the SCRAM-SHA-1-PLUS SASL authentication
mechanism (5802) in new protocols. That is a requirement e.g. of the current
XMPP specification (RFC6120). Any compliant implementation needs to support the
'SCRAM-SHA-1-PLUS' mechanism, and that requires obtaining the 'tls-unique'
channel-binding data from a TLS connection used. Python doesn't provide this
information and it seems the only detail stopping anyone from fully
implementing XMPP or SCRAM-SHA-1-PLUS alone in Python.
The 'tls-unique' channel binding is defined as:
> Description: The first TLS Finished message sent (note: the Finished
> struct, not the TLS record layer message containing it) in the most
> recent TLS handshake of the TLS connection being bound to
…and is (they say), available via OpenSSL API. This should be exposed by the
python SSLSocket object too.
The other channel-binding data type, 'tls-server-end-point' can be computed
using current Python API, but it is not enough for most uses ('tls-unique' is
the required channel binding data in most cases) and still not trivial (one
needs to ASN.1-decode the certificate to get the hash function name to compute
proper digest).
----------
components: Library (Lib)
messages: 140247
nosy: Jajcus
priority: normal
severity: normal
status: open
title: Provide data for TLS channel binding
type: feature request
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue12551>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
