Add support for exporting keying material

Question

Add support for exporting keying material

Opened this issue 2 days ago · 0 comments

The TLS libraries expose SSL_export_keying_material (RFC 5705) for deriving additional keying material from established connections. This is useful for channel binding, application-specific crypto, and other protocols that need to bind to the TLS session.

Currently pingora's OpenSSL and BoringSSL compatibility layers don't expose this functionality. It would be useful to add a function in the ext module of both pingora-openssl and pingora-boringssl that wraps this capability.

Example use cases:

Token binding
Application layer channel binding
Custom key derivation from TLS session

The function should accept a label, optional context data, and output buffer length, matching the underlying SSL library API.