- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 18 Jul 2017 13:49:19 +0200
- To: Piotr Sikora <piotrsikora@google.com>
- Cc: Eric Rescorla <ekr@rtfm.com>, IETF Tokbind WG <unbearable@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Piotr, On Tue, Jul 18, 2017 at 11:20:16AM +0200, Piotr Sikora wrote: > Hey Willy, > > > What I've seen and used was slightly different : > > 1) proxies unconditionally remove the header field > > 2) proxies unconditionally add the new header field even with no > > certificate > > 3) servers verify that there is exactly one header field > > > > This way even if step 1 above fails (eg: usual typo in the rule needed > > to strip the header field which nobody notices since nobody injects > > such a field name), step 2 ensures that any injection will be detected > > in step 3. > > This is exactly what the current draft suggests and what EKR objects, > because misconfigured proxy that doesn't know about > "X-Client-Certificate" won't execute steps 1-3 for the > "X-Client-Certificate" header. In fact, all depends on the amount of misconfiguration expected. If we have to consider that a proxy suddenly becomes totally transparent, then prepending a secret token before the actual value detects it. Willy
Received on Tuesday, 18 July 2017 11:49:54 UTC