[PATCH] SSL: export channel binding values as variables
Steffen Kieß
Steffen.Kiess at ipvs.uni-stuttgart.de
Tue Jun 1 16:39:42 UTC 2021
Hello,
On 01.06.21 01:08, Maxim Dounin wrote:
> Hello!
>
> On Mon, May 31, 2021 at 09:41:42PM +0200, Steffen Kieß wrote:
>
>> On 31.05.21 18:36, Maxim Dounin wrote:
>>>
>>> Thanks for the patch. You may want to elaborate a bit more on how
>>> do you expect these variables to be used.
>>>
>>> [...]
>>>
>>
>> These variables can be used to implement authentication with channel
>> binding in an http application.
>
> [...]
>
>> I've attached a flask application + a client which shows how this can be
>> used, the required configuration in NGINX (when using fastcgi) is:
>
> So, you expect these variables to be used by application
> developers to implement some (currently not implemented)
> authentication with channel binding in HTTP, and that's the only
> use case you consider, correct?
One use case is channel binding for RFC4559. This already exists
(Microsoft IIS implements the server side with channel binding,
Microsoft Edge implements the client side with channel binding). There
are also other implementations without channel binding (firefox and
libcurl as clients for example) but this is in general vulnerable to
MitM attacks, even when using HTTPS (because an attacker who can cause a
client to do authentication over HTTP can then reuse the authentication
data for doing authentication over HTTPS). RFC4559 has some rather weird
design decisions (like doing authentication per-connections instead of
per-request) but it is used in real life.
On the other RFC4559 uses the tls-server-end-point channel binding which
can also be done without any support by NGINX (by providing the server
certificate to the web application).
>
> Note that HTTP provides no guarantees about channels, that is,
> connections, and trying to use channel binding is expected to
> break operation over HTTP, especially in complex setups when using
> proxies or reverse proxies, such as nginx. Further, invalid
> assumptions about guarantees in HTTP can easily cause security
> issues, by incorrectly authenticating unrelated requests on the
> connection. Basically the same set of issues as already seen with
> Microsoft's mis-designed NTLM authentication which doesn't work
> through proxies.
Channel binding is for HTTPS only, so there should not be any issues
with proxies.
Reverse proxies and load balancers obviously will make this more
complicated (because the channel binding information would have to be
forwarded to the web application in way which an attacker cannot spoof),
but in simple cases (e.g. using NGINX as a frontend which forwards
requests to an application over FastCGI or the uwsgi protocol) this
should not cause any problems.
Note that using channel bindings does not require you to do
per-connection authentication; you still can do per-request
authentication and only gain an assurance that no attack is performing a
MitM attack on the TLS connection.
>
> Given that, it might not be a good idea to provide such variables.
>
Best regards,
Steffen Kieß
More information about the nginx-devel
mailing list