aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2020-05-18 17:59:18 +0200
committerDaniel Stenberg <daniel@haxx.se>2020-05-18 17:59:18 +0200
commit5646e563aeb37e0ffdfbb7f8c4faf2455056e8a9 (patch)
tree96c51ab6d84a7a8e0287277e0e0ba58d73c6f2f0
parent17b1405b20f7ea916995c224992b0ec592f73039 (diff)
TODO: forbid TLS post-handshake auth and do TLS record padding
Closes #5396 Closes #5398
-rw-r--r--docs/TODO31
1 files changed, 24 insertions, 7 deletions
diff --git a/docs/TODO b/docs/TODO
index 68b8faa62..e6d209bc9 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -109,9 +109,11 @@
13.6 Provide callback for cert verification
13.7 improve configure --with-ssl
13.8 Support DANE
+ 13.9 TLS record padding
13.10 Support Authority Information Access certificate extension (AIA)
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
13.12 Support HSTS
+ 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
13.14 Support the clienthello extension
14. GnuTLS
@@ -744,6 +746,14 @@ that doesn't exist on the server, just like --ftp-create-dirs.
Björn Stenberg wrote a separate initial take on DANE that was never
completed.
+13.9 TLS record padding
+
+ TLS (1.3) offers optional record padding and OpenSSL provides an API for it.
+ I could make sense for libcurl to offer this ability to applications to make
+ traffic patterns harder to figure out by network traffic observers.
+
+ See https://github.com/curl/curl/issues/5398
+
13.10 Support Authority Information Access certificate extension (AIA)
AIA can provide various things like CRLs but more importantly information
@@ -759,23 +769,30 @@ that doesn't exist on the server, just like --ftp-create-dirs.
CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
certificates when comparing the pinned keys. Therefore it is not compatible
- with "HTTP Public Key Pinning" as there also intermediate and root certificates
- can be pinned. This is very useful as it prevents webadmins from "locking
- themself out of their servers".
+ with "HTTP Public Key Pinning" as there also intermediate and root
+ certificates can be pinned. This is very useful as it prevents webadmins from
+ "locking themself out of their servers".
- Adding this feature would make curls pinning 100% compatible to HPKP and allow
- more flexible pinning.
+ Adding this feature would make curls pinning 100% compatible to HPKP and
+ allow more flexible pinning.
13.12 Support HSTS
"HTTP Strict Transport Security" is TOFU (trust on first use), time-based
features indicated by a HTTP header send by the webserver. It is widely used
- in browsers and it's purpose is to prevent insecure HTTP connections after
- a previous HTTPS connection. It protects against SSLStripping attacks.
+ in browsers and it's purpose is to prevent insecure HTTP connections after a
+ previous HTTPS connection. It protects against SSLStripping attacks.
Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
RFC 6797: https://tools.ietf.org/html/rfc6797
+13.13 Make sure we forbid TLS 1.3 post-handshake authentication
+
+ RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3
+ post-handshake authentication. We should make sure to live up to that.
+
+ See https://github.com/curl/curl/issues/5396
+
13.14 Support the clienthello extension
Certain stupid networks and middle boxes have a problem with SSL handshake