24 Oct
2025
24 Oct
'25
8:08 a.m.
Thilo Molitor <thilo(a)eightysoft.de> writes:
Hi Daniel.
I think that would be horrible advice these days -- the
tls-server-end-point gives a false sense of security and is known
sub-optimal for years. It would be similar to urge people to MUST
implement 3DES or RC4 for TLS. There is no fatal attack for those
either, but the collective wisdom is "don't use them".
I suggest to mandate tls-exporter from RFC 9266. I believe any
deployment not being able to support this is better off not supporting
channel bindings at all, because doing so just adds complexity and
attack surface and end-user confusion ("oh nice I have a channel
binding!") for little gain.
/Simon
To put what you wrote into actionable terms for
the client developer:
"If a client sees that that the server has 0440 support it MUST set
the 'y' flag regardless of the concrete binding mechanisms announced
by the server"
Is this a correct summary of what you wrote?
No, no. Lets try to explain it from
the client developer perspective.
As a client developer, do the following:
0) Servers MUST implement tls-server-end-point and enable/advertise it.
Clients SHOULD implement tls-server-end-point and use it if no other
(stronger) channel-binding method is supported by both sides.