[issue12551] Provide data for TLS channel binding

Antoine Pitrou added the comment: Patch is now committed. Thanks for your contribution! -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker

[issue12551] Provide data for TLS channel binding

Roundup Robot added the comment: New changeset cb44fef5ea1d by Antoine Pitrou in branch 'default': Issue #12551: Provide a get_channel_binding() method on SSL sockets so as http://hg.python.org/cpython/rev/cb44fef5ea1d -- nosy: +python-dev ___ Python

[issue12551] Provide data for TLS channel binding

Antoine Pitrou added the comment: > This patch is functionally equivalent, but advertises 'tls-unique' > support in a bit different way. > > HAS_TLS_UNIQUE is not exposed in the python 'ssl' module, instead a > list 'CHANNEL_BINDING_TYPES' is provided (empty when 'tls-unique' is > not supported

[issue12551] Provide data for TLS channel binding

Jacek Konieczny added the comment: This patch is functionally equivalent, but advertises 'tls-unique' support in a bit different way. HAS_TLS_UNIQUE is not exposed in the python 'ssl' module, instead a list 'CHANNEL_BINDING_TYPES' is provided (empty when 'tls-unique' is not supported). get_c

[issue12551] Provide data for TLS channel binding

Jacek Konieczny added the comment: This is patch updated according to your suggestions, including raising NotImplementedError when 'tls-unique' is not available and with the ssl.HAS_TLS_UNIQUE constant added. It also includes an important fix to the data retrieval logic (one condition had to

[issue12551] Provide data for TLS channel binding

Jacek Konieczny added the comment: Thanks for the quick review. Most of the problems are my oversights. I am not sure about that: > And I think get_channel_binding() should raise NotImplementedError in that > case. As the method is supposed to be extensible and 'tls-unique' may be just one of

[issue12551] Provide data for TLS channel binding

Antoine Pitrou added the comment: Thank you, this looks mostly good. A couple of nits: +#if OPENSSL_VERSION_NUMBER >= 0x0090500fL +# define HAVE_OPENSSL_FINISHED 1 +#else +# undef HAVE_OPENSSL_FINNISHED +#endif you have a typo in the #undef, also it would be more logical to have # define HAV

[issue12551] Provide data for TLS channel binding

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue12551] Provide data for TLS channel binding

Jacek Konieczny added the comment: Here is a patch, ready for review. Seems to work, though I still need to check it with some other implementation. I have chosen not to expose another three OpenSSL functions (SSL_get_finished, SSL_get_peer_finished, SSL_session_reused), but provide API just

[issue12551] Provide data for TLS channel binding

Jacek Konieczny added the comment: I skim-read the TLS specification, looked at the OpenSSL API and it seems it should be easy to implement. I am getting to work right now… -- ___ Python tracker _

[issue12551] Provide data for TLS channel binding

Jacek Konieczny added the comment: > Do you happen to know which API? Not yet. > I see no reference to tls-unique or channel binding, in either the OpenSSL > website or the latest OpenSSL snapshot. Yes, I know it is not directly documented. > It would be nice if there was some ready-to-use

[issue12551] Provide data for TLS channel binding

Antoine Pitrou added the comment: Interestingly (from rfc5929): This definition of 'tls-unique' means that a channel's bindings data may change over time, which in turn creates a synchronization problem should the channel's bindings data change between the time that the

[issue12551] Provide data for TLS channel binding

New submission from Jacek Konieczny : Recently IETF encourages using of the SCRAM-SHA-1-PLUS SASL authentication mechanism (5802) in new protocols. That is a requirement e.g. of the current XMPP specification (RFC6120). Any compliant implementation needs to support the 'SCRAM-SHA-1-PLUS' mecha