Project

General

Profile

Feature #1866

Implicit TLS (with SNI) connection mode

Added by Avamander almost 2 years ago. Updated 17 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/30/2023
Due date:
% Done:

0%

Estimated time:
OS:
Any

Description

It would be very useful if Quassel had a client-core connection mode that use pure implicit TLS (with SNI).

This would provide multiple benefits:
  • Adds the ability to use any TLS load balancer or terminator (traefik/nginx/etc. with more nuanced configuration)
  • Implicit TLS like implemented by other software is likely less failure-prone thus more secure than any ad-hoc TLS support
  • Resists protocol fingerprinting
  • Adds the potential to leverage things like mTLS (using a YubiKey/smartcard for auth), ECH or QUIC in the future

In theory it shouldn't also be that difficult to implement using already available libraries.

History

#1 Updated by rechard407jensen 17 days ago

Avamander wrote:

It would be very useful if Quassel had a client-core connection mode that use pure implicit TLS (with SNI).

This would provide multiple benefits:
  • Adds the ability to use any TLS load balancer or terminator (traefik/nginx/etc. with more nuanced configuration)
  • Implicit TLS like implemented by other software is likely less failure-prone thus more secure than any ad-hoc TLS support
  • Resists protocol fingerprinting
  • Adds the potential to leverage things like mTLS (using a YubiKey/smartcard for auth), ECH or QUIC in the future

In theory it shouldn't also be that difficult to implement using already available libraries. https://www.krogerifeedback.com

Hello,

Adding implicit TLS with SNI to Quassel would improve security, compatibility with modern TLS tools, and enable future enhancements like mTLS or ECH.

Best Regard,
Rechard

Also available in: Atom PDF