Feature #1866
Implicit TLS (with SNI) connection mode
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/30/2023
Due date:
% Done:
0%
Estimated time:
OS:
Any
Description
It would be very useful if Quassel had a client-core connection mode that use pure implicit TLS (with SNI).
This would provide multiple benefits:- Adds the ability to use any TLS load balancer or terminator (traefik/nginx/etc. with more nuanced configuration)
- Implicit TLS like implemented by other software is likely less failure-prone thus more secure than any ad-hoc TLS support
- Resists protocol fingerprinting
- Adds the potential to leverage things like mTLS (using a YubiKey/smartcard for auth), ECH or QUIC in the future
In theory it shouldn't also be that difficult to implement using already available libraries.
History
#1 Updated by rechard407jensen 17 days ago
Avamander wrote:
It would be very useful if Quassel had a client-core connection mode that use pure implicit TLS (with SNI).
This would provide multiple benefits:
- Adds the ability to use any TLS load balancer or terminator (traefik/nginx/etc. with more nuanced configuration)
- Implicit TLS like implemented by other software is likely less failure-prone thus more secure than any ad-hoc TLS support
- Resists protocol fingerprinting
- Adds the potential to leverage things like mTLS (using a YubiKey/smartcard for auth), ECH or QUIC in the future
In theory it shouldn't also be that difficult to implement using already available libraries. https://www.krogerifeedback.com
Hello,
Adding implicit TLS with SNI to Quassel would improve security, compatibility with modern TLS tools, and enable future enhancements like mTLS or ECH.
Best Regard,
Rechard