Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate

The new "tls-server-end-point-sha-256" channel binding type now seems
like the best approach to me, but I still wanted to reply to this:

On 09/02/2023 10:24, Michael Paquier wrote:
> But the client has the choice to decide if it wants to use channel
> binding, does it? In this case, it would send the non-PLUS mechanism
> followed by 'n' as gs2-cbind-flag, no?

No, that makes a downgrade attack possible with channel_binding=prefer.
Imagine that you have a server with a typical RSA certificate that
supports channel binding. And a client with channel_binding=prefer.
There is a Man-In-The-Middle between the client and the server. The MITM
works as a proxy, and opens two separate TLS connections: server <->
MITM and MITM <-> client. To the client, it presents a TLS server
certificate that uses 'rsassaPss'. The client connects to the MITM, sees
the rsassaPss certificate, and decides that it cannot do channel binding
because the server doesn't support it. It sends 'n' gs2-cbind-flag, and
the server happily accepts that.

Currently, such a downgrade attack is not possible. If client and server
both support channel binding, it will be used. If a MITM tries to modify
the SASL mechanism list, leaving out SCRAM-SHA-256-PLUS, the client will
use gs2-cbind-flag='y' which notifies the server that the mechanism list
was modified, and the server will fail the authentication. And if the
MITM doesn't change the negotiation, then channel binding will be used,
and the authentication will fail because the client and server will
compute a different server certificate hash.

There is no way for the client to tell the server "I support channel
binding in general, but not with this server certificate".

- Heikki