Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate

The new "tls-server-end-point-sha-256" channel binding type now seems 
like the best approach to me, but I still wanted to reply to this:

On 09/02/2023 10:24, Michael Paquier wrote:
> But the client has the choice to decide if it wants to use channel
> binding, does it?  In this case, it would send the non-PLUS mechanism
> followed by 'n' as gs2-cbind-flag, no?

No, that makes a downgrade attack possible with channel_binding=prefer. 
Imagine that you have a server with a typical RSA certificate that 
supports channel binding. And a client with channel_binding=prefer. 
There is a Man-In-The-Middle between the client and the server. The MITM 
works as a proxy, and opens two separate TLS connections: server <-> 
MITM and MITM <-> client. To the client, it presents a TLS server 
certificate that uses 'rsassaPss'. The client connects to the MITM, sees 
the rsassaPss certificate, and decides that it cannot do channel binding 
because the server doesn't support it. It sends 'n' gs2-cbind-flag, and 
the server happily accepts that.

Currently, such a downgrade attack is not possible. If client and server 
both support channel binding, it will be used. If a MITM tries to modify 
the SASL mechanism list, leaving out SCRAM-SHA-256-PLUS, the client will 
use gs2-cbind-flag='y' which notifies the server that the mechanism list 
was modified, and the server will fail the authentication. And if the 
MITM doesn't change the negotiation, then channel binding will be used, 
and the authentication will fail because the client and server will 
compute a different server certificate hash.

There is no way for the client to tell the server "I support channel 
binding in general, but not with this server certificate".

- Heikki