Re: 2.2. Interaction with "https" URIs | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Kari Hurtta <hurtta-ietf@elmme-mailer.org> Mon, 10 October 2016 05:20 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB08B12940C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Oct 2016 22:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.917
X-Spam-Level:
X-Spam-Status: No, score=-9.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lq5rVzB6CNMR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Oct 2016 22:20:34 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5C2126FDC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 9 Oct 2016 22:20:34 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1btSwy-0008LQ-39 for ietf-http-wg-dist@listhub.w3.org; Mon, 10 Oct 2016 05:16:32 +0000
Resent-Date: Mon, 10 Oct 2016 05:16:32 +0000
Resent-Message-Id: <E1btSwy-0008LQ-39@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1btSwv-0008Km-Uq for ietf-http-wg@listhub.w3.org; Mon, 10 Oct 2016 05:16:29 +0000
Received: from smtpvgate.fmi.fi ([193.166.223.36]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <hurtta@siilo.fmi.fi>) id 1btSwt-0005ub-Eo for ietf-http-wg@w3.org; Mon, 10 Oct 2016 05:16:29 +0000
Received: from torkku.fmi.fi (torkku.fmi.fi [193.166.211.55]) (envelope-from hurtta@siilo.fmi.fi) by smtpVgate.fmi.fi (8.13.8/8.13.8/smtpgate-20160114/smtpVgate) with ESMTP id u9A5FqrP022977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 10 Oct 2016 08:15:52 +0300
Received: from shell.siilo.fmi.fi by torkku.fmi.fi with ESMTP id u9A5Fq0k016893 ; Mon, 10 Oct 2016 08:15:52 +0300
Received: from shell.siilo.fmi.fi ([127.0.0.1]) by shell.siilo.fmi.fi with ESMTP id u9A5Fq6q016736 ; Mon, 10 Oct 2016 08:15:52 +0300
Received: by shell.siilo.fmi.fi id u9A5FqdP016735; Mon, 10 Oct 2016 08:15:52 +0300
Message-Id: <201610100515.u9A5FqdP016735@shell.siilo.fmi.fi>
In-Reply-To: <CABkgnnUBc9R+m9EwwuP000Cf2XMcS4Z+OWbV-Lcc=8n3GEAgLg@mail.gmail.com>
References: <20161004160321.DFB4C111E5@welho-filter1.welho.com> <BN6PR03MB27082C2CF4DC3F8F82354FDE87C50@BN6PR03MB2708.namprd03.prod.outlook.com> <201610050451.u954pomK003643@shell.siilo.fmi.fi> <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com> <CABkgnnVKeqnyqhgL=jx1WqtcByqHes25XDJ684J+rNwvQt+znQ@mail.gmail.com> <201610051336.u95DaAW2020152@shell.siilo.fmi.fi> <CABkgnnVaBVE8mUxuGXYe-WeM_OkiNHcA=egnb1-nOxtdujShfw@mail.gmail.com> <201610051616.u95GGWcI031833@shell.siilo.fmi.fi> <BN6PR03MB2708B42C6964AA22AF8FFDC487C40@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVJ7VRBH4VeGODkSUXdW9XHs8AjB_M0mm8Kt=nv3djvEg@mail.gmail.com> <BN6PR03MB27081C5CF95FB443BB4C155B87C70@BN6PR03MB2708.namprd03.prod.outlook.com> <20161009073417.6A669113F0@welho-filter1.welho.com> <CABkgnnVecDi-w3yxqRBaGqvrz7zGUoYd1z7QyaZVv2zzuySgmg@mail.gmail.com> <201610100445.u9A4jeq4014046@shell.siilo.fmi.fi> <CABkgnnUBc9R+m9EwwuP000Cf2XMcS4Z+OWbV-Lcc=8n3GEAgLg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 10 Oct 2016 08:15:52 +0300 (EEST)
Sender: hurtta@siilo.fmi.fi
From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mike Bishop <Michael.Bishop@microsoft.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
X-Mailer: ELM [version ME+ 2.5 PLalpha41]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
X-Filter: smtpVgate.fmi.fi: 3 received headers rewritten with id 20161010/04101/01
X-Filter: smtpVgate.fmi.fi: ID 4102/01, 1 parts scanned for known viruses
X-Filter: torkku: ID 1360/01, 1 parts scanned for known viruses
Received-SPF: none client-ip=193.166.223.36; envelope-from=hurtta@siilo.fmi.fi; helo=smtpVgate.fmi.fi
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: AWL=-0.146, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.708, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1btSwt-0005ub-Eo 3c4afb1f6abf7f66e1f669a139dc684d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 2.2. Interaction with "https" URIs | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <http://www.w3.org/mid/201610100515.u9A5FqdP016735@shell.siilo.fmi.fi>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32539
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Martin Thomson <martin.thomson@gmail.com>om>: (Mon Oct 10 07:55:17 2016)
> On 10 October 2016 at 15:45, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> > After one "https" reguest that apply:
> >
> > |                            clients MUST NOT send "http" requests on a
> > |    connection that has previously been used for "https" requests,
> 
> The point of this is to cover off any problems that might arise from
> connection reuse.  It's clumsy.  I think that it should be reworded:
> clients MUST NOT send "http" requests on a connection that would
> ordinarily be used for "https" requests unless the http-opportunistic
> origin object [...]

That looks good.
 
> If scheme is determined on the first request and that causes this
> check to pass, then we're going to get false positives.  Remember:
> we're incapable of detecting all cases where the server decides to do
> crazy things - I'm sure that I can devise a server architecture that
> will fail for any solution we devise - we have to instead take steps
> that we think are reasonable.

I can image real word situation where scheme is checked only
on the first request. Namely load balancer which do routing
decision on first request and then same back end connection
is used for all requests. 

Yes, I can not guess all cases where server does grazy things.

( That is:
    route port 80 to pool1
    route port 443, scheme "http" to pool1
    route port 443, scheme "https" to pool2
)

/ Kari Hurtta