W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: New tunnel protocol

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 22 Jan 2015 17:50:46 +1300
Message-ID: <54C081A6.7080805@treenet.co.nz>
To: ietf-http-wg@w3.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/01/2015 12:11 p.m., Martin Thomson wrote:
> On 21 January 2015 at 14:34, Adrien de Croy <adrien@qbik.com>
> wrote:
>> So there's room for ambiguity around whether the next layer
>> (after CONNECT) is TLS or not.  Or do we rely on the identifier
>> also indicating it is over TLS, in which case what if there are 2
>> TLS layers?
> 
> I get your point.  My understanding, and what is written down,
> were indeed quite different.
> 
> Does this help?
> 
> https://github.com/httpwg/http-extensions/commit/7e2e57a48c21be2b68f856b41095800620fc1a20
>
> 
http://httpwg.github.io/http-extensions/tunnel-protocol.html#rfc.section.1
> (when Travis catches up)
> 

No,

Consider that under the new scheme the label for HTTPS tunnels would
say "HTTP/1.1" to indicate that an HTTP/1.1 compliant proxy "does not
understand nor implement the tunneled protocol".

The client intent is to tunnel TLS to keep the stuff inside secure. It
is not appropriate for the HTTP upper layers to expose those
intended-private details for all the world to read.

IMO, just indicate TLS as the next layer after CONNECT and have that
layers ALPN (or not) indicate the nested next-layer. If the
intermediary is capable of peeking at the TLS ALPN value it can do so
itself. That also resolves security and logistical issues with keeping
the two ALPN tags in-sync.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwIGlAAoJELJo5wb/XPRjbLUIAKEwlIVSVfrTnjnmKMzR+i2c
v/x+Qrxsw1Hc5HIHSPqSamcW86MWsKjf872Ay5kLbjzbye5XRVIxJX8ltteImfH4
ft9gSEAnIIaeqXcHW7yAE4M+M8x67ShXz2ErvmUEHh38hoybsBYqNVKkGEVg4oEU
u6Siuljxjtj4NmhRP8hMTLYf6vT01LOwY9g7gZ3EGf5k0vk+6yTF9qBNxKji9RHF
qF6a+/hK15l9YVJejk4KI1w3Jp4xy0Vw0hwJQux+nnbn4D/dW5CE3myIy345xDts
ZJhZsKAcRg+JEoRGIMGze6Of5lBIlmtgxs8nhuSalwve+G/grguWb83DDeykWx4=
=UNbp
-----END PGP SIGNATURE-----
Received on Thursday, 22 January 2015 04:51:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:42 UTC