Fwd: channel binding

Jeremy Harris jgh at wizmail.org
Mon Jan 11 21:26:30 UTC 2021

On 11/01/2021 08:20, Benjamin Kaduk wrote:
> Current recommendations are not to use the finished message as the channel
> binding but instead to define key exporter label for the given usage
> (see https://tools.ietf.org/html/rfc8446#section-7.5), using SSL_export_keying_material().

Follow-on question on SSL_export_keying_material() -
what "label" should I supply?

I need to interwork with other implementations that are using
SSL_get_finished() (client side) / SSL_get_peer_finished() (server side).
Does that imply I should use "client finished"
as the label?   Does the label length for the SSL_export_keying_material()
call include the terminating NUL or not?

More information about the openssl-users mailing list