Neustradamus created KAFKA-15855: ------------------------------------ Summary: RFC 9266: Channel Bindings for TLS 1.3 support | SCRAM-SHA-*-PLUS variants Key: KAFKA-15855 URL: https://issues.apache.org/jira/browse/KAFKA-15855 Project: Kafka Issue Type: Bug Components: connect, core, security Reporter: Neustradamus
Dear Apache, and Kafka teams, Can you add the support of RFC 9266: Channel Bindings for TLS 1.3? - [https://datatracker.ietf.org/doc/html/rfc9266] Little details, to know easily: - tls-unique for TLS =< 1.2 - tls-server-end-point - tls-exporter for TLS = 1.3 It is needed for SCRAM-SHA-*-PLUS variants. Note: Some SCRAM-SHA are already supported. I think that you have seen the jabber.ru MITM and Channel Binding is the solution: - [https://notes.valdikss.org.ru/jabber.ru-mitm/] - [https://snikket.org/blog/on-the-jabber-ru-mitm/] - [https://www.devever.net/~hl/xmpp-incident] - [https://blog.jmp.chat/b/certwatch] IETF links: SCRAM-SHA-1(-PLUS): - RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: [https://tools.ietf.org/html/rfc5802] // July 2010 - RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: [https://tools.ietf.org/html/rfc6120] // March 2011 SCRAM-SHA-256(-PLUS): - RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: [https://tools.ietf.org/html/rfc7677] // 2015-11-02 - RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange: [https://tools.ietf.org/html/rfc8600] // 2019-06-21: [https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA] SCRAM-SHA-512(-PLUS): - [https://tools.ietf.org/html/draft-melnikov-scram-sha-512] SCRAM-SHA3-512(-PLUS): - [https://tools.ietf.org/html/draft-melnikov-scram-sha3-512] SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: - [https://tools.ietf.org/html/draft-melnikov-scram-bis] -PLUS variants: - RFC5056: On the Use of Channel Bindings to Secure Channels: [https://tools.ietf.org/html/rfc5056] // November 2007 - RFC5929: Channel Bindings for TLS: [https://tools.ietf.org/html/rfc5929] // July 2010 - Channel-Binding Types: [https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml] - RFC9266: Channel Bindings for TLS 1.3: [https://tools.ietf.org/html/rfc9266] // July 2022 IMAP: - RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: [https://tools.ietf.org/html/rfc9051] // August 2021 LDAP: - RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: [https://tools.ietf.org/html/rfc5803] // July 2010 HTTP: - RFC7804: Salted Challenge Response HTTP Authentication Mechanism: [https://tools.ietf.org/html/rfc7804] // March 2016 JMAP: - RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: [https://tools.ietf.org/html/rfc8621] // August 2019 2FA: - Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: [https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa] Thanks in advance. Linked to: - [https://github.com/scram-sasl/info/issues/1] Note: This ticket can be for other Apache projects too. -- This message was sent by Atlassian Jira (v8.20.10#820010)