Resend: HTTP/2 extended CONNECT and HTTP Digest authentication underspecified interaction
Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com> Sat, 07 September 2024 19:36 UTC
Received: by ietfa.amsl.com (Postfix) id A3065C14F71F; Sat, 7 Sep 2024 12:36:22 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2634C14F69A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 7 Sep 2024 12:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.758
X-Spam-Level:
X-Spam-Status: No, score=-7.758 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Cvxy3SJL"; dkim=pass (2048-bit key) header.d=w3.org header.b="PZ0AsS+u"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTY3qRP5sWL2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 7 Sep 2024 12:36:18 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0BCC14F604 for <httpbisa-archive-bis2Juki@ietf.org>; Sat, 7 Sep 2024 12:36:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:In-Reply-To:Content-Type:Mime-Version:References:Message-ID: To:From:Date:Cc:Reply-To; bh=tmM2AqsW/Tzr/s1td4tMIVLPUu65lcDi6bjr1ohYQQE=; b= Cvxy3SJLoVAS6XUX8M76QdO7blSBxGkvFsj1KZIFAh6otyakWm3WmbPI+i7dr07tGhJA6f4DoAQds S4whRx283hhCOnyvs246svIjeTYesFAyrrLxJRWrG9pLHjoryfCbDfAvxwxUrnI81UYgv/E8YvPXa EolCQ2Yh56TrIqnyv/PYeNIfn36NyuPA3WYzHThfT7z0+g478dJ6cANghM87kcs/1od20PO95Tvpv 7AOk881hacGWtGm5pHOYLxnFb/P1uocKJ2f4dmED89D3gWpWn8Bdq8LLsmgdwretG4cP37NRiexVz uNkMlgQDV07ZDpxf/E+bniCLRPOfTwZbew==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sn1DF-00EFXI-1l for ietf-http-wg-dist@listhub.w3.org; Sat, 07 Sep 2024 19:35:13 +0000
Resent-Date: Sat, 07 Sep 2024 19:35:13 +0000
Resent-Message-Id: <E1sn1DF-00EFXI-1l@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <gs-lists-ietf-http-wg@gluelogic.com>) id 1sn1DC-00EFWJ-2o for ietf-http-wg@listhub.w3.internal; Sat, 07 Sep 2024 19:35:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=In-Reply-To:Content-Type:Mime-Version:References:Message-ID:Subject: To:From:Date:Cc:Reply-To; bh=tmM2AqsW/Tzr/s1td4tMIVLPUu65lcDi6bjr1ohYQQE=; t=1725737710; x=1726601710; b=PZ0AsS+u0l9a8CU+fyTUVLdQkUXtzKP+Kng8OTEw92mwudg AwlPukKtmp0eRxHcCexynzsInpgrfmd349RBzqhSPSvbQqeXHMI9uowDk/I3B8wlbQVNibt6H493n qWGNLuqCUWMqqukXgHan5PvIuEl2Qup/DLipdAfYvlauPUXyv9020F9p5d/uFoeIrU5EFndS22NiO UvNtiOTK5M2PC5dVj9m+KJTQxNhndnxtbIkJTuQE/O4Db7izhF+Qsnf4NI6TCZDwpxptDtQ4FcK0y XU0Ptor87z4kV74SyOzOPCC0AsV3hYYs+42mu0DYVPtjIVZeH7Dlp/SurosgnJuQ==;
Received-SPF: pass (pan.w3.org: domain of gluelogic.com designates 52.86.233.228 as permitted sender) client-ip=52.86.233.228; envelope-from=gs-lists-ietf-http-wg@gluelogic.com; helo=smtp1.atof.net;
Received: from smtp1.atof.net ([52.86.233.228]) by pan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (Exim 4.96) (envelope-from <gs-lists-ietf-http-wg@gluelogic.com>) id 1sn1DC-00BzY0-0G for ietf-http-wg@w3.org; Sat, 07 Sep 2024 19:35:10 +0000
X-Spam-Language: en
X-Spam-Relay-Country:
X-Spam-DCC: B=x.dcc-servers; R=smtp1.atof.net 104; Body=1 Fuz1=1 Fuz2=1
X-Spam-RBL:
X-Spam-PYZOR: Reported 0 times.
Date: Sat, 07 Sep 2024 15:34:56 -0400
From: Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>
To: ietf-http-wg@w3.org
Message-ID: <Ztyq4O3b9D8hCBRZ@xps13>
References: <ZsBoNxqpGQ-Lnbcs@xps13>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In-Reply-To: <ZsBoNxqpGQ-Lnbcs@xps13>
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_MISSING=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sn1DC-00BzY0-0G 75c9ddfe4c5d0645e65cf0b08be66ddf
X-Original-To: ietf-http-wg@w3.org
Subject: Resend: HTTP/2 extended CONNECT and HTTP Digest authentication underspecified interaction
Archived-At: <https://www.w3.org/mid/Ztyq4O3b9D8hCBRZ@xps13>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52266
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
There appears to be an underspecified interaction with HTTP/2 extended CONNECT and HTTP Digest authentication when clients evaluate wss://. With the HTTP/2 extended CONNECT method [1], the :method is CONNECT. With wss:// using HTTP/2 extended CONNECT, the :method is CONNECT. If there is HTTP Digest authentication [2], then the HTTP request method is part of A2 if the qop parameter's value is "auth" or is unspecified. [3] An inconsistency has been reported to me: [4] With wss://, Firefox and Chromium both produce a digest using "GET" as the HTTP method, but if using an HTTP/2 connection, use HTTP/2 extended CONNECT for wss://. For HTTP/2 extended CONNECT, lighttpd produces a digest using "CONNECT" as the HTTP method, and HTTP Digest authentication fails due to the mismatch of the hashes. https://www.rfc-editor.org/rfc/rfc8441#section-5 notes that https://www.rfc-editor.org/rfc/rfc6455 uses a GET-based request in WebSockets opening handshake, but I did not find additional relevant references to GET. Which is proper behavior with wss:// using HTTP/2 extended CONNECT and HTTP Digest authentication? Should "CONNECT" be used as the HTTP method for A2, or should "GET" be used as the HTTP method for A2, even though :method is CONNECT? Should this be an Errata to RFC8441 to better specify the correct behavior with HTTP2 (and HTTP/3)? Scripts to reproduce the issue can be found in [4]. Thank you for your input. Cheers, Glenn [1] Bootstrapping WebSockets with HTTP/2 https://www.rfc-editor.org/rfc/rfc8441 [2] HTTP Digest Access Authentication https://www.rfc-editor.org/rfc/rfc7616 [3] https://www.rfc-editor.org/rfc/rfc7616#section-3.4.3 [4] https://redmine.lighttpd.net/boards/2/topics/11676
- HTTP/2 extended CONNECT and HTTP Digest authentic… Glenn Strauss
- Resend: HTTP/2 extended CONNECT and HTTP Digest a… Glenn Strauss
- Re: Resend: HTTP/2 extended CONNECT and HTTP Dige… Ben Schwartz
- Re: Resend: HTTP/2 extended CONNECT and HTTP Dige… David Schinazi
- Re: Resend: HTTP/2 extended CONNECT and HTTP Dige… Glenn Strauss