From: brian m. carlson <sandals@crustytoothpaste.net>
Date: Tue, 18 Jun 2024 08:29:43 +0000 (+0200)
Subject: TODO: TLS channel binding
X-Git-Tag: curl-8_9_0~223
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=04739054cdac5a0614fb94e3655e313c03399f35;p=thirdparty%2Fcurl.git

TODO: TLS channel binding

Closes #13483
---

diff --git a/docs/TODO b/docs/TODO
index 1faedde4a2..4bf0508107 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -111,6 +111,7 @@
 
  13. TLS
  13.1 TLS-PSK with OpenSSL
+ 13.2 TLS channel binding
  13.3 Defeat TLS fingerprinting
  13.5 Export session ids
  13.6 Provide callback for cert verification
@@ -784,6 +785,23 @@
 
  https://github.com/curl/curl/issues/5081
 
+13.2 TLS channel binding
+
+ TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS
+ connection and use it in the client request (usually in some sort of
+ authentication) to ensure that the data sent is bound to the specific TLS
+ connection and cannot be successfully intercepted by a proxy. This
+ functionality can be used in a standard authentication mechanism such as
+ GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication
+ headers.
+
+ For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is
+ tls-exporter.
+
+ https://datatracker.ietf.org/doc/html/rfc5929
+ https://datatracker.ietf.org/doc/html/rfc9266
+ https://github.com/curl/curl/issues/9226
+
 13.3 Defeat TLS fingerprinting
 
  By changing the order of TLS extensions provided in the TLS handshake, it is