Next: Interoperability, Previous: Keying Material Exporters, Up: Advanced topics [Contents][Index]
In user authentication protocols (e.g., EAP or SASL mechanisms) it is useful to have a unique string that identifies the secure channel that is used, to bind together the user authentication with the secure channel. This can protect against man-in-the-middle attacks in some situations. That unique string is called a “channel binding”. For background and discussion see [RFC5056].
In GnuTLS you can extract a channel binding using the
gnutls_session_channel_binding function. Currently only the
type GNUTLS_CB_TLS_UNIQUE is supported, which corresponds to
the tls-unique channel binding for TLS defined in
[RFC5929].
The following example describes how to print the channel binding data. Note that it must be run after a successful TLS handshake.
{
gnutls_datum_t cb;
int rc;
rc = gnutls_session_channel_binding (session,
GNUTLS_CB_TLS_UNIQUE,
&cb);
if (rc)
fprintf (stderr, "Channel binding error: %s\n",
gnutls_strerror (rc));
else
{
size_t i;
printf ("- Channel binding 'tls-unique': ");
for (i = 0; i < cb.size; i++)
printf ("%02x", cb.data[i]);
printf ("\n");
}
}