22 Jan
2024
22 Jan
'24
8:47 p.m.
On 1/11/24 10:37, Dave Cridland wrote:
On Thu, 11 Jan 2024 at 12:39, Holger Weiß <holger(a)zedat.fu-berlin.de
<mailto:holger@zedat.fu-berlin.de>> wrote:
* Simon Josefsson <simon(a)josefsson.org <mailto:simon@josefsson.org>>
[2024-01-11 13:10]:
Also the TLS terminating proxy can pass the required secrets for "real
channel binding" to the backend XMPP server via extensions to the PROXY
protocol. I plan on adding support for this to xmpp-proxy soon.
I believe tls-server-end-point is generally best
left unimplemented to
guide efforts towards supporting the stronger tls-exporter.
One use case I see for tls-server-end-point is that it allows for
supporting channel binding by setups where TLS is terminated by some
reverse proxy, thereby protecting against _some_ but not all attack
vectors that tls-exporter protects against.
I'm pretty sure this was a key reason we picked the approach. If TLS is
terminated before the server ever sees it, the server can still be
configured to handle tls-server-end-point.