IETF Logo Mail Archive

Re: Resend: HTTP/2 extended CONNECT and HTTP Digest authentication underspecified interaction

David Schinazi <dschinazi.ietf@gmail.com> Mon, 09 September 2024 19:07 UTC

Received: by ietfa.amsl.com (Postfix) id 915A4C1CAE97; Mon, 9 Sep 2024 12:07:17 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9088CC1CAE96 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Sep 2024 12:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.857
X-Spam-Level:
X-Spam-Status: No, score=-2.857 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="YrT1jyVJ"; dkim=pass (2048-bit key) header.d=w3.org header.b="cSRfVje6"; dkim=pass (2048-bit key) header.d=gmail.com header.b="YXwXP0U9"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekIp4_l7rCxF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Sep 2024 12:07:13 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2D9C1840FF for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 9 Sep 2024 12:07:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=k6PuvZOiNW8UDjz6qXaKC1U6DRfjc2kFmpD+nv9JdOM=; b=YrT1jyVJJU60ZR7XcoYws0/Tob l/9r8JL8PrrplOFFZMduOzDB//6PAWWzdcV7HE+LbLoEnxaeF13MwmFFjH1+NEhULM3oV+KS8x1oV hfE36BJ/w3JWKjNJHtU3otaRnDL13ydKoglcUifY/CBqZN/nSHpIoWOrUQ7QypqySOGIqUoQ4/X2P Obf2UTSwYAdz5y/a8Bpbekrvab9hGZKstffMjmofeH1C+rsa3iom/BDJK9cDPuNja1/HGogpcbbfJ KumZyNo0qM1diImKIC1sqgRgh8HijyDqlG79eWN2QNtkyRUpsUrjpeP6GNyinAmtYluE9gU96YI+L 1nu8M3TA==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1snjid-001D9Z-0P for ietf-http-wg-dist@listhub.w3.org; Mon, 09 Sep 2024 19:06:35 +0000
Resent-Date: Mon, 09 Sep 2024 19:06:35 +0000
Resent-Message-Id: <E1snjid-001D9Z-0P@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <dschinazi.ietf@gmail.com>) id 1snjib-001D8Z-0h for ietf-http-wg@listhub.w3.internal; Mon, 09 Sep 2024 19:06:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=k6PuvZOiNW8UDjz6qXaKC1U6DRfjc2kFmpD+nv9JdOM=; t=1725908793; x=1726772793; b=cSRfVje645Q02e5GmYUWlvltBxjJUngxk5zwn/ud+uRRjFxnD9PtM4RTZR1yV21f+IWJtGUlSE0 vasbFyK8PcXR5toBPFMffeX1vay6GM6conk40EQZeIGbiMWo8MDllC/d0vrri8CzE045e130VALyF Pz8AOF7wtuDtB2x1wL/yaHME9jADkOabQflBP2LW5hl7IAdZHzpfqiVxZeGWeO40I3sb33HTcX5x3 ve9aLUupo21/6U6SOG0fUQKoozWj0y4aA1kFwydzaBvnmkZ6ExWxk1bCH0AEirThsZV6kbzGa9aej kFG2ZSLc0jhSLH0x7f7vNhY4NWGACf49ZXTw==;
Received-SPF: pass (puck.w3.org: domain of gmail.com designates 2a00:1450:4864:20::635 as permitted sender) client-ip=2a00:1450:4864:20::635; envelope-from=dschinazi.ietf@gmail.com; helo=mail-ej1-x635.google.com;
Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <dschinazi.ietf@gmail.com>) id 1snjiZ-003QSI-25 for ietf-http-wg@w3.org; Mon, 09 Sep 2024 19:06:33 +0000
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a8d446adf6eso224486666b.2 for <ietf-http-wg@w3.org>; Mon, 09 Sep 2024 12:06:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725908787; x=1726513587; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=k6PuvZOiNW8UDjz6qXaKC1U6DRfjc2kFmpD+nv9JdOM=; b=YXwXP0U9zcDvGyN1FoYB//Tu9WHdQ8dQ0Ebx9YqQIjVkEIB281SgDcWaiZMjsqqFYm +8ycD2SKu5gDco048yvgcUtzcP9kSOBhsIqJYJ6Pcy8F4ANFpwI+z8KfTy45zHarlZwp 0yEhozurPmDj+iiZd+w4kzNohxu2EuV26mt1Zdo3PchKcUfz+ylMurWGabwc/c2QV1hY +hWz/i9BOP4WWreGnwPFhZDldfN0BrwjuugwmHdZ0woAhPkp7IH2GfUyEq0zZp0YtXtL g9DWe4lYfUVndqlf2asF1VagQ+z0b12xQeaeITaJXWLE5/ATjGbtQk+6osQi7PpLEFy7 rU6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725908787; x=1726513587; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=k6PuvZOiNW8UDjz6qXaKC1U6DRfjc2kFmpD+nv9JdOM=; b=USvzqpf+FYUTlTlUw/ObmuKEvX9zDLslx4RbKLhJoRxzyUUa8R4hHsWDncNJo+gVCR ozP3egoELqS/wet1VjLb9Vonsn+lEysUg3TfHKhDZdAzWmM4rMGu3XkoFAMD/FhtkvcU 47l7SO6YxRnoF+RClW2jWnnBAVQOsSwTo/o/kAkuDDe0Nm1XXKMC563AGkgHIbdOMotx LbRXKvBHcy9jZaMvPET+gX+XRWPVIfTr0tpGaMDEjkwTby6DiF6rNiM2H2KAWmXGCQUl 6sCDks2y1OuEauqmJVYT6wnQuLPXiuuldYe6TECe1Td+QoJLY0FsIYagaWa07zKKQ0l2 xmBA==
X-Forwarded-Encrypted: i=1; AJvYcCWklDRVJ//CfJvc6am3e1yt+dNXheX2ZWvmthiOx8FgMRJzxCPVSDQWDsMzojMK8sRa66F33XFT5NTAQMc=@w3.org
X-Gm-Message-State: AOJu0Yyy+c8vZnfWRL8PSZCKYlTCwMzUpB9g4dOMcz14eTz9BH4DArRF I3eAPtliAEaX3BmqkdAMFcmwhn3ZoduMCOVxNjpTJpqncX+U5XnwSF5KFMypg1i6LxZvL3/SvW9 JH5XBWnJvJHNsR6pV3In5XPPKkVPxjw==
X-Google-Smtp-Source: AGHT+IHr+7Wh6lbs/+DNa5Jq3/gYH3nM/999y1QzTNYvdjou7MdAPIKI8iDY93MsNc1w3rtlJv9y3yNpmeFdgibF8+Y=
X-Received: by 2002:a17:906:f591:b0:a8a:ead3:8515 with SMTP id a640c23a62f3a-a8d2494c332mr555274166b.65.1725908786482; Mon, 09 Sep 2024 12:06:26 -0700 (PDT)
MIME-Version: 1.0
References: <ZsBoNxqpGQ-Lnbcs@xps13> <Ztyq4O3b9D8hCBRZ@xps13> <MW4PR15MB4379A6F9E777CC51E452DD9DB3992@MW4PR15MB4379.namprd15.prod.outlook.com>
In-Reply-To: <MW4PR15MB4379A6F9E777CC51E452DD9DB3992@MW4PR15MB4379.namprd15.prod.outlook.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 09 Sep 2024 12:06:15 -0700
Message-ID: <CAPDSy+7i0ZXRpsnCpVQ4ZVxV3z0WOw_YsEjGjbCn7JcjVY7rVg@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000022153d0621b474c8"
X-W3C-Hub-DKIM-Status: validation passed: (address=dschinazi.ietf@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1snjiZ-003QSI-25 24678078336e5e11447a477dd1d375d2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Resend: HTTP/2 extended CONNECT and HTTP Digest authentication underspecified interaction
Archived-At: <https://www.w3.org/mid/CAPDSy+7i0ZXRpsnCpVQ4ZVxV3z0WOw_YsEjGjbCn7JcjVY7rVg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52273
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Agreed, this is a real issue that impacts all uses of extended CONNECT. I
think it might warrant a new document that updates 7616, 8441, and 9220.
That said, if we have deployed code in clients and servers that does
different things, we're already in a not-great place. I'm not sure what the
best path forward is.
David

On Mon, Sep 9, 2024 at 11:06 AM Ben Schwartz <bemasc@meta.com> wrote:

> This is a very interesting situation.  Naively, it would seem that
> "CONNECT" is the method.  However, if the backend is speaking HTTP/1.1
> through a WebSocket+HTTP/2 gateway, then the method will be rewritten, and
> the client and origin will disagree about the method.  Uh-oh...
>
> I note that this question applies equally to the MASQUE protocols as well.
>
> --Ben
> ------------------------------
> *From:* Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>
> *Sent:* Saturday, September 7, 2024 3:34 PM
> *To:* ietf-http-wg@w3.org <ietf-http-wg@w3.org>
> *Subject:* Resend: HTTP/2 extended CONNECT and HTTP Digest authentication
> underspecified interaction
>
>
>
> There appears to be an underspecified interaction with HTTP/2 extended
> CONNECT and HTTP Digest authentication when clients evaluate wss://.
>
> With the HTTP/2 extended CONNECT method [1], the :method is CONNECT.
> With wss:// using HTTP/2 extended CONNECT, the :method is CONNECT.
>
> If there is HTTP Digest authentication [2], then the HTTP request
> method is part of A2 if the qop parameter's value is "auth" or is
> unspecified. [3]
>
> An inconsistency has been reported to me: [4]
> With wss://, Firefox and Chromium both produce a digest using "GET" as
> the HTTP method, but if using an HTTP/2 connection, use HTTP/2 extended
> CONNECT for wss://.  For HTTP/2 extended CONNECT, lighttpd produces a
> digest using "CONNECT" as the HTTP method, and HTTP Digest
> authentication fails due to the mismatch of the hashes.
>
>
> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc8441*section-5__;Iw!!Bt8RZUm9aw!_XAO6g6jKg8a6LjJF1pes96XdZUyXBqFmfVagX07zsljijOtnuSxcMo9Z_OA4ydTnQkb-XKBpeb9n9It8SP7tqQN0g$
> notes that
>
> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc6455__;!!Bt8RZUm9aw!_XAO6g6jKg8a6LjJF1pes96XdZUyXBqFmfVagX07zsljijOtnuSxcMo9Z_OA4ydTnQkb-XKBpeb9n9It8SNrZLfEhA$
> uses a GET-based request in
> WebSockets opening handshake, but I did not find additional relevant
> references to GET.
>
> Which is proper behavior with wss:// using HTTP/2 extended CONNECT and
> HTTP Digest authentication?  Should "CONNECT" be used as the HTTP method
> for A2, or should "GET" be used as the HTTP method for A2, even though
> :method is CONNECT?  Should this be an Errata to RFC8441 to better
> specify the correct behavior with HTTP2 (and HTTP/3)?
>
> Scripts to reproduce the issue can be found in [4].
>
> Thank you for your input.
> Cheers, Glenn
>
> [1] Bootstrapping WebSockets with HTTP/2
>
> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc8441__;!!Bt8RZUm9aw!_XAO6g6jKg8a6LjJF1pes96XdZUyXBqFmfVagX07zsljijOtnuSxcMo9Z_OA4ydTnQkb-XKBpeb9n9It8SO0ieiuJg$
>
> [2] HTTP Digest Access Authentication
>
> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc7616__;!!Bt8RZUm9aw!_XAO6g6jKg8a6LjJF1pes96XdZUyXBqFmfVagX07zsljijOtnuSxcMo9Z_OA4ydTnQkb-XKBpeb9n9It8SN3O7gn9g$
>
> [3]
> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc7616*section-3.4.3__;Iw!!Bt8RZUm9aw!_XAO6g6jKg8a6LjJF1pes96XdZUyXBqFmfVagX07zsljijOtnuSxcMo9Z_OA4ydTnQkb-XKBpeb9n9It8SN0bz9bqA$
>
> [4]
> https://urldefense.com/v3/__https://redmine.lighttpd.net/boards/2/topics/11676__;!!Bt8RZUm9aw!_XAO6g6jKg8a6LjJF1pes96XdZUyXBqFmfVagX07zsljijOtnuSxcMo9Z_OA4ydTnQkb-XKBpeb9n9It8SP1M5JQhw$
>
>

v2.38.3 | Report a Bug | By Email | System Status