[PATCH] SSL: export channel binding values as variables

Maxim Dounin mdounin at mdounin.ru
Mon May 31 23:08:40 UTC 2021


On Mon, May 31, 2021 at 09:41:42PM +0200, Steffen Kieß wrote:

> On 31.05.21 18:36, Maxim Dounin wrote:
> > 
> > Thanks for the patch.  You may want to elaborate a bit more on how
> > do you expect these variables to be used.
> > 
> > [...]
> > 
> These variables can be used to implement authentication with channel 
> binding in an http application.


> I've attached a flask application + a client which shows how this can be 
> used, the required configuration in NGINX (when using fastcgi) is:

So, you expect these variables to be used by application 
developers to implement some (currently not implemented) 
authentication with channel binding in HTTP, and that's the only 
use case you consider, correct?

Note that HTTP provides no guarantees about channels, that is, 
connections, and trying to use channel binding is expected to 
break operation over HTTP, especially in complex setups when using 
proxies or reverse proxies, such as nginx.  Further, invalid 
assumptions about guarantees in HTTP can easily cause security 
issues, by incorrectly authenticating unrelated requests on the 
connection.  Basically the same set of issues as already seen with 
Microsoft's mis-designed NTLM authentication which doesn't work 
through proxies.

Given that, it might not be a good idea to provide such variables.

Maxim Dounin

More information about the nginx-devel mailing list