Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-15855

RFC 9266: Channel Bindings for TLS 1.3 support | SCRAM-SHA-*-PLUS variants

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • None
    • None
    • connect, core, security
    • Important

    Description

      Dear Apache, and Kafka teams,

      Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

      Little details, to know easily:

      • tls-unique for TLS =< 1.2
      • tls-server-end-point
      • tls-exporter for TLS = 1.3

      It is needed for SCRAM-SHA-*-PLUS variants.
      Note: Some SCRAM-SHA are already supported.

      I think that you have seen the jabber.ru MITM and Channel Binding is the solution:

      IETF links:

      SCRAM-SHA-1(-PLUS):

      SCRAM-SHA-256(-PLUS):

      SCRAM-SHA-512(-PLUS):

      SCRAM-SHA3-512(-PLUS):

      SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

      -PLUS variants:

      IMAP:

      LDAP:

      • RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 // July 2010

      HTTP:

      JMAP:

      2FA:

      Thanks in advance.

      Linked to:

      Note: This ticket can be for other Apache projects too.

      Attachments

        Activity

          People

            Unassigned Unassigned
            neustradamus Neustradamus
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: