On 1/11/24 10:37, Dave Cridland wrote:
On Thu, 11 Jan 2024 at 12:39, Holger Weiß <[email protected] <mailto:[email protected]>> wrote:* Simon Josefsson <[email protected] <mailto:[email protected]>> [2024-01-11 13:10]: >I believe tls-server-end-point is generally best left unimplemented to >guide efforts towards supporting the stronger tls-exporter. One use case I see for tls-server-end-point is that it allows for supporting channel binding by setups where TLS is terminated by some reverse proxy, thereby protecting against _some_ but not all attack vectors that tls-exporter protects against.I'm pretty sure this was a key reason we picked the approach. If TLS is terminated before the server ever sees it, the server can still be configured to handle tls-server-end-point.
Also the TLS terminating proxy can pass the required secrets for "real channel binding" to the backend XMPP server via extensions to the PROXY protocol. I plan on adding support for this to xmpp-proxy soon.
_______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
