TODO: TLS channel binding

author brian m. carlson <sandals@crustytoothpaste.net>

Tue, 18 Jun 2024 08:29:43 +0000 (10:29 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 18 Jun 2024 08:30:24 +0000 (10:30 +0200)
author brian m. carlson <sandals@crustytoothpaste.net>
Tue, 18 Jun 2024 08:29:43 +0000 (10:29 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 18 Jun 2024 08:30:24 +0000 (10:30 +0200)
diff --git a/docs/TODO b/docs/TODO

index 1faedde4a27e754f6f34ae9b3946ff2404d1f52f..4bf050810791ae0eef59caeb26282277800a79c5 100644 (file)
--- a/docs/TODO
+++ b/docs/TODO
@@ -111,6 +111,7 @@
  
   13. TLS
   13.1 TLS-PSK with OpenSSL
+ 13.2 TLS channel binding
   13.3 Defeat TLS fingerprinting
   13.5 Export session ids
   13.6 Provide callback for cert verification
@@ -784,6 +785,23 @@
  
   https://github.com/curl/curl/issues/5081
  
+13.2 TLS channel binding
+
+ TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS
+ connection and use it in the client request (usually in some sort of
+ authentication) to ensure that the data sent is bound to the specific TLS
+ connection and cannot be successfully intercepted by a proxy. This
+ functionality can be used in a standard authentication mechanism such as
+ GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication
+ headers.
+
+ For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is
+ tls-exporter.
+
+ https://datatracker.ietf.org/doc/html/rfc5929
+ https://datatracker.ietf.org/doc/html/rfc9266
+ https://github.com/curl/curl/issues/9226
+
  13.3 Defeat TLS fingerprinting
  
   By changing the order of TLS extensions provided in the TLS handshake, it is
author	brian m. carlson <sandals@crustytoothpaste.net>
	Tue, 18 Jun 2024 08:29:43 +0000 (10:29 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 18 Jun 2024 08:30:24 +0000 (10:30 +0200)