RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-server-end-point
• tls-exporter for TLS = 1.3

Thanks in advance.

Linked to:

• SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #391

[johnweldon]

Thank you for submitting this request - you're welcome to propose a PR.

[cpuschma]

It looks like you're on a campaign to ask maintainers to add this as a new feature in several libs, including the standard libs provided by Go: golang/go#54103

I think it would be best to wait for the standard libraries to implement this and make it available to the devs, than to implement this complex and important part ourselves. SSL/TLS are in OSI layer 6 anyway, LDAP (and our implementation) in layer 7.

Personally, I don't see it as our responsibility to provide this part (TLS 1.3 Channel Binding) either. The tasks of the library should be clearly coordinated. As an example: I don't see the task of connection pooling in our responsibility, because there is no clear consensus on how to do it properly.

[Neustradamus]

Dear @go-ldap team, @johnweldon, @cpuschma,

In first, I wish you a Happy New Year 2024!

Have you progressed on the support?

Maybe you can look here:

• Jackal IM has the SCRAM-SHA-*-PLUS supports: https://github.com/ortuman/jackal/pull/243/files
• go-xmpp has the SCRAM-SHA-*-PLUS supports done by @mdosch: https://github.com/xmppo/go-xmpp/blob/master/xmpp.go
• go-sendxmpp has the SCRAM-SHA-*-PLUS supports done by @mdosch: https://salsa.debian.org/mdosch/go-sendxmpp

[Neustradamus]

@cpuschma: Excellent, where is the commit fix?

If there is not, it has been not solved, you need to reopen this ticket.

[cpuschma]

I've been in the wrong issue, sorry 'bout that.