The TLS libraries expose SSL_export_keying_material (RFC 5705) for deriving additional keying material from established connections. This is useful for channel binding, application-specific crypto, and other protocols that need to bind to the TLS session.
Currently pingora's OpenSSL and BoringSSL compatibility layers don't expose this functionality. It would be useful to add a function in the ext module of both pingora-openssl and pingora-boringssl that wraps this capability.
Example use cases:
- Token binding
- Application layer channel binding
- Custom key derivation from TLS session
The function should accept a label, optional context data, and output buffer length, matching the underlying SSL library API.
The TLS libraries expose
SSL_export_keying_material(RFC 5705) for deriving additional keying material from established connections. This is useful for channel binding, application-specific crypto, and other protocols that need to bind to the TLS session.Currently pingora's OpenSSL and BoringSSL compatibility layers don't expose this functionality. It would be useful to add a function in the
extmodule of bothpingora-opensslandpingora-boringsslthat wraps this capability.Example use cases:
The function should accept a label, optional context data, and output buffer length, matching the underlying SSL library API.