[PATCH] SSL: export channel binding values as variables
Maxim Dounin
mdounin at mdounin.ru
Mon May 31 23:08:40 UTC 2021
Hello!
On Mon, May 31, 2021 at 09:41:42PM +0200, Steffen Kieß wrote:
> On 31.05.21 18:36, Maxim Dounin wrote:
> >
> > Thanks for the patch. You may want to elaborate a bit more on how
> > do you expect these variables to be used.
> >
> > [...]
> >
>
> These variables can be used to implement authentication with channel
> binding in an http application.
[...]
> I've attached a flask application + a client which shows how this can be
> used, the required configuration in NGINX (when using fastcgi) is:
So, you expect these variables to be used by application
developers to implement some (currently not implemented)
authentication with channel binding in HTTP, and that's the only
use case you consider, correct?
Note that HTTP provides no guarantees about channels, that is,
connections, and trying to use channel binding is expected to
break operation over HTTP, especially in complex setups when using
proxies or reverse proxies, such as nginx. Further, invalid
assumptions about guarantees in HTTP can easily cause security
issues, by incorrectly authenticating unrelated requests on the
connection. Basically the same set of issues as already seen with
Microsoft's mis-designed NTLM authentication which doesn't work
through proxies.
Given that, it might not be a good idea to provide such variables.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list