[ https://issues.apache.org/jira/browse/KAFKA-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Greg Harris updated KAFKA-15855: -------------------------------- Component/s: KafkaConnect (was: connect) > RFC 9266: Channel Bindings for TLS 1.3 support | SCRAM-SHA-*-PLUS variants > -------------------------------------------------------------------------- > > Key: KAFKA-15855 > URL: https://issues.apache.org/jira/browse/KAFKA-15855 > Project: Kafka > Issue Type: Bug > Components: core, KafkaConnect, security > Reporter: Neustradamus > Priority: Critical > Labels: security > > Dear Apache, and Kafka teams, > Can you add the support of RFC 9266: Channel Bindings for TLS 1.3? > - [https://datatracker.ietf.org/doc/html/rfc9266] > Little details, to know easily: > - tls-unique for TLS =< 1.2 > - tls-server-end-point > - tls-exporter for TLS = 1.3 > It is needed for SCRAM-SHA-*-PLUS variants. > Note: Some SCRAM-SHA are already supported. > I think that you have seen the jabber.ru MITM and Channel Binding is the > solution: > - [https://notes.valdikss.org.ru/jabber.ru-mitm/] > - [https://snikket.org/blog/on-the-jabber-ru-mitm/] > - [https://www.devever.net/~hl/xmpp-incident] > - [https://blog.jmp.chat/b/certwatch] > IETF links: > SCRAM-SHA-1(-PLUS): > - RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL > and GSS-API Mechanisms: [https://tools.ietf.org/html/rfc5802] // July 2010 > - RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: > [https://tools.ietf.org/html/rfc6120] // March 2011 > SCRAM-SHA-256(-PLUS): > - RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and > Security Layer (SASL) Mechanisms: [https://tools.ietf.org/html/rfc7677] // > 2015-11-02 > - RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for > Security Information Exchange: [https://tools.ietf.org/html/rfc8600] // > 2019-06-21: > [https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA] > SCRAM-SHA-512(-PLUS): > - [https://tools.ietf.org/html/draft-melnikov-scram-sha-512] > SCRAM-SHA3-512(-PLUS): > - [https://tools.ietf.org/html/draft-melnikov-scram-sha3-512] > SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL > and GSS-API Mechanisms: > - [https://tools.ietf.org/html/draft-melnikov-scram-bis] > -PLUS variants: > - RFC5056: On the Use of Channel Bindings to Secure Channels: > [https://tools.ietf.org/html/rfc5056] // November 2007 > - RFC5929: Channel Bindings for TLS: [https://tools.ietf.org/html/rfc5929] // > July 2010 > - Channel-Binding Types: > [https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml] > - RFC9266: Channel Bindings for TLS 1.3: > [https://tools.ietf.org/html/rfc9266] // July 2022 > IMAP: > - RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: > [https://tools.ietf.org/html/rfc9051] // August 2021 > LDAP: > - RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing > Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: > [https://tools.ietf.org/html/rfc5803] // July 2010 > HTTP: > - RFC7804: Salted Challenge Response HTTP Authentication Mechanism: > [https://tools.ietf.org/html/rfc7804] // March 2016 > JMAP: > - RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: > [https://tools.ietf.org/html/rfc8621] // August 2019 > 2FA: > - Extensions to Salted Challenge Response (SCRAM) for 2 factor > authentication: [https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa] > Thanks in advance. > Linked to: > - [https://github.com/scram-sasl/info/issues/1] > Note: This ticket can be for other Apache projects too. -- This message was sent by Atlassian Jira (v8.20.10#820010)