Author Jajcus
Recipients Jajcus
Date 2011-07-13.11:33:24
SpamBayes Score 3.80025e-09
Marked as misclassified No
Message-id <1310556805.74.0.156740266858.issue12551@psf.upfronthosting.co.za>
In-reply-to
Content
Recently IETF encourages using of the SCRAM-SHA-1-PLUS SASL authentication mechanism (5802) in new protocols. That is a requirement e.g. of the current XMPP specification (RFC6120). Any compliant implementation needs to support the 'SCRAM-SHA-1-PLUS' mechanism, and that requires obtaining the 'tls-unique' channel-binding data from a TLS connection used. Python doesn't provide this information and it seems the only detail stopping anyone from fully implementing XMPP or SCRAM-SHA-1-PLUS alone in Python.

The 'tls-unique' channel binding is defined as:

> Description: The first TLS Finished message sent (note: the Finished
> struct, not the TLS record layer message containing it) in the most
> recent TLS handshake of the TLS connection being bound to

…and is (they say), available via OpenSSL API. This should be exposed by the python SSLSocket object too.

The other channel-binding data type, 'tls-server-end-point' can be computed using current Python API, but it is not enough for most uses ('tls-unique' is the required channel binding data in most cases) and still not trivial (one needs to ASN.1-decode the certificate to get the hash function name to compute proper digest).
History
Date User Action Args
2011-07-13 11:33:25Jajcussetrecipients: + Jajcus
2011-07-13 11:33:25Jajcussetmessageid: <1310556805.74.0.156740266858.issue12551@psf.upfronthosting.co.za>
2011-07-13 11:33:25Jajcuslinkissue12551 messages
2011-07-13 11:33:24Jajcuscreate