Add SCRAM-SHA-1-PLUS authentication mechanisms
phenomenon
The current implementation of SSL/TLS in python-nbxmpp uses CA certificates for PKI mechanism. There is currently 141 CA certificates in cacerts.pem in Gajim, any of these CA can sign certificate which can used to do MiTM attack on any XMPP servers. There have been instances where Certificate Authorities have issued fraudulent certificates: Comodo DigiNotar TurkTrust
background analysis
The SCRAM-SHA-1-PLUS authentication mechanisms RFC 5802 supports channel binding to the TLS channel. So any tampering with TLS connection will cause authentication failure, allows to detect MiTM attack.
implementation recommendation
Server jabber.org supports SCRAM-SHA-1-PLUS authentication mechanisms, so it can be used for testing of the implementation.
SSL in Python 3.3 supports Channel binding data http://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding