Expose the RFC 9266 tls-exporter channel binding via TlsInfo#3048
Open
mike-marcacci wants to merge 2 commits into
Open
Expose the RFC 9266 tls-exporter channel binding via TlsInfo#3048mike-marcacci wants to merge 2 commits into
mike-marcacci wants to merge 2 commits into
Conversation
Adds `TlsInfo::tls_exporter()`, returning the RFC 9266 tls-exporter channel binding for a connection (the TLS exporter with label EXPORTER-Channel-Binding, empty context, 32 bytes). The channel binding lets applications cryptographically tie higher-layer authentication to the underlying TLS session to detect a man-in-the-middle that terminates and re-originates TLS, etc. This change simply exposes the value that `rustls` already computes. A few caveats: - Populated for the rustls backend; None for native-tls (no keying-material export is exposed). - Gated to TLS 1.3. The exporter is only sound for channel binding on TLS 1.3 or TLS 1.2 with Extended Master Secret (RFC 7627), and the state of EMS cannot be known here. This returns None on anything below 1.3 rather than risk handing back a potentially unsound `Some(_)`.
cpu
reviewed
Jun 5, 2026
The previous name was imprecise and implied the general keying- material exporter. However, it's not possible to expose this without a more substantial refactor, since TlsInfo is detached from the live connection. This change clarifies the limited behavior actually implemented.
Author
|
I want to elaborate on the TLS 1.3+ decision. I'm not particularly experienced in the underlying details of the various TLS versions, but here's my general understanding:
The approach I took here avoids ever returning an unsound value. However, I want to highlight that even when a sound value was used in TLS 1.2 with EMS, I believe this is the right approach. |
Author
|
I submitted an upstream PR to rustls to expose the EMS state, which would allow safe channel binding under TLS 1.2 with EMS: the |
mike-marcacci
added a commit
to eidola-ai/eidola
that referenced
this pull request
Jun 5, 2026
This is an initial draft implementing [a proposed improvement to tinfoil's attestation](tinfoilsh/cvmimage#160). This depends on an [upstream improvement to reqwest](seanmonstar/reqwest#3048) which could be further improved by [an improvement to rustls](rustls/rustls#3083).
mike-marcacci
added a commit
to eidola-ai/eidola
that referenced
this pull request
Jun 6, 2026
This is an initial draft implementing [a proposed improvement to tinfoil's attestation](tinfoilsh/cvmimage#160). This depends on an [upstream improvement to reqwest](seanmonstar/reqwest#3048) which could be further improved by [an improvement to rustls](rustls/rustls#3083).
mike-marcacci
added a commit
to eidola-ai/rustls
that referenced
this pull request
Jun 10, 2026
Adds `ConnectionOutputs::extended_master_secret() -> Option<bool>`, reporting whether the Extended Master Secret extension (RFC 7627) was negotiated. A TLS exporter is only a sound channel binding (RFC 9266 tls-exporter) on TLS 1.3, or on TLS 1.2 with Extended Master Secret; without EMS the TLS 1.2 exporter is vulnerable to the triple-handshake attack. Currently, rustls exposes the exporter and protocol_version(), but not EMS status, so a caller doing channel binding currently has no way to tell whether a TLS 1.2 exporter is safe to use. See [this concrete use case in reqwest](seanmonstar/reqwest#3048).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
TlsInfo::tls_exporter_channel_binding(), returning the RFC 9266 tls-exporter channel binding for a connection (the TLS exporter with label EXPORTER-Channel-Binding, empty context, 32 bytes).The channel binding lets applications cryptographically tie higher-layer authentication to the underlying TLS session to detect a man-in-the-middle that terminates and re-originates TLS, etc. This change simply exposes the value that
rustlsalready computes.A few caveats:
Nonefor native-tls (no keying-material export is exposed).Noneon anything below 1.3 rather than risk handing back a potentially unsoundSome(_).