RFC 9266: Channel Bindings for TLS 1.3 support

[Neustradamus]

Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

• https://datatracker.ietf.org/doc/html/rfc9266

Little details, to know easily:

• tls-unique for TLS =< 1.2
• tls-exporter for TLS = 1.3

Thanks in advance.

[simo5]

NTLMSSP like any other GSSAPI mechanism is completely oblivious to what data is passed in the gss_channel_bindings_t structure. The spec just indicates what applications should use.

Is there any change to the structure of gss_channel_bindings_t I missed?

[filipnavara]

After reading the specification and looking into the implementations yesterday I agree with @simo5's conclusion that there's no change necessary in any GSSAPI mechanism. The GSSAPI mechanisms simply runs a hash function on the opaque data supplied by the application.

A good self-contained example of how the whole flow works is PSOpenAD project which calls GSSAPI. It has the code to calculate the channel binding which is then wrapped into gss_channel_bindings_t and passed to GSSAPI.

[simo5]

Ok, not a bug or feature then.