- From: Piotr Sikora <piotrsikora@google.com>
- Date: Tue, 18 Jul 2017 11:20:16 +0200
- To: Willy Tarreau <w@1wt.eu>
- Cc: Eric Rescorla <ekr@rtfm.com>, IETF Tokbind WG <unbearable@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Hey Willy, > What I've seen and used was slightly different : > 1) proxies unconditionally remove the header field > 2) proxies unconditionally add the new header field even with no > certificate > 3) servers verify that there is exactly one header field > > This way even if step 1 above fails (eg: usual typo in the rule needed > to strip the header field which nobody notices since nobody injects > such a field name), step 2 ensures that any injection will be detected > in step 3. This is exactly what the current draft suggests and what EKR objects, because misconfigured proxy that doesn't know about "X-Client-Certificate" won't execute steps 1-3 for the "X-Client-Certificate" header. Best regards, Piotr Sikora
Received on Tuesday, 18 July 2017 09:20:44 UTC