Project

General

Profile

Feature #1866

Implicit TLS (with SNI) connection mode

Added by Avamander about 2 years ago. Updated 18 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/30/2023
Due date:
% Done:

0%

Estimated time:
OS:
Any

Description

It would be very useful if Quassel had a client-core connection mode that use pure implicit TLS (with SNI).

This would provide multiple benefits:
  • Adds the ability to use any TLS load balancer or terminator (traefik/nginx/etc. with more nuanced configuration)
  • Implicit TLS like implemented by other software is likely less failure-prone thus more secure than any ad-hoc TLS support
  • Resists protocol fingerprinting
  • Adds the potential to leverage things like mTLS (using a YubiKey/smartcard for auth), ECH or QUIC in the future

In theory it shouldn't also be that difficult to implement using already available libraries.

History

#1 Updated by Jamie309Perez 18 days ago

Adding pure implicit TLS with SNI to Quassel's client-core connection would significantly improve security and flexibility. This standard method of encryption is more robust and less prone to failure than ad-hoc solutions, and it would allow Quassel to work seamlessly with modern TLS load balancers and https://www.peryourhealth.io terminators like Traefik or Nginx.Beyond these immediate benefits, it would also future-proof the application by enabling advanced security features like mTLS with hardware tokens (e.g., YubiKeys) and support for new protocols like ECH or QUIC.

Also available in: Atom PDF