IETF Logo Mail Archive

Re: [hybi] #4: handshake does not work properly with HTTP reverse proxy.

Jamie Lokier <jamie@shareable.org> Wed, 21 July 2010 22:30 UTC

Return-Path: <jamie@shareable.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42EB43A6899 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 15:30:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.367
X-Spam-Level:
X-Spam-Status: No, score=-2.367 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxVfiMM9OAmd for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 15:29:56 -0700 (PDT)
Received: from mail2.shareable.org (mail2.shareable.org [80.68.89.115]) by core3.amsl.com (Postfix) with ESMTP id 0AF1A3A684F for <hybi@ietf.org>; Wed, 21 Jul 2010 15:29:55 -0700 (PDT)
Received: from jamie by mail2.shareable.org with local (Exim 4.63) (envelope-from <jamie@shareable.org>) id 1Obhnm-0000YT-Iz; Wed, 21 Jul 2010 23:30:10 +0100
Date: Wed, 21 Jul 2010 23:30:10 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Greg Wilkins <gregw@webtide.com>
Message-ID: <20100721223010.GB14589@shareable.org>
References: <068.da8db0c773647cb0ed73d576f39e93ee@tools.ietf.org> <20100717023749.GA2426@shareable.org> <AANLkTil36SNqlpqq2zNMVSgsA_27kqnuioi0qFTKQR1m@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTil36SNqlpqq2zNMVSgsA_27kqnuioi0qFTKQR1m@mail.gmail.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: hybi@ietf.org, hybi issue tracker <trac@tools.ietf.org>
Subject: Re: [hybi] #4: handshake does not work properly with HTTP reverse proxy.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 22:30:23 -0000

Greg Wilkins wrote:
> On 17 July 2010 12:37, Jamie Lokier <jamie@shareable.org> wrote:
> > hybi issue tracker wrote:
> > From discussions on the hybi list several months ago, several times, I
> > got the impression that failure to work through any kind of HTTP proxy
> > was *intentional* in the handshake design.
> >
> > I don't personally agree with that as a design goal, but if it is the
> > design goal than this issue #4 isn't a bug.
> 
> >From those same discussion, I concluded that the intent of this
> "feature" was to fast fail in the presence of any kind of HTTP proxy.
> Given that this "feature" is now resulting in a hang if there is such
> a proxy, then I think it is still a bug whatever way you look at it.

I agree with something implied here: fast failing is more desirable
than slow failing, where it's realistically feasible to trigger fast
failing without causing problems.  It can't be guaranteed, and there's
no point overcomplicating it, but it's useful to try.

> More importantly, the best way to test if a connection will support
> websocket packets, is to just send websocket packets.   Sending 8/16
> random bytes immediately after the HTTP handshake may succeed for a
> huge variety of implementation reasons that still do not mean that
> websocket packets will succeed.   More importantly, to detect the
> non-success of sending of the 8/16 random bytes will still involve the
> same timeout handling that would be required to check the transmission
> of websocket packets.

The argument against just sending WebSocket packets is that some
WebSocket packets may be valid HTTP and therefore more likely to be
misinterpreted or be used as another attack vector, or simply fail to
fail fast.

That's not possible with the current WebSocket frame types, but it
could happen with frame types from the currently reserved range.

That's also an argument against making the bytes uniformly random;
instead they should also be constrained to avoid looking like HTTP.

-- Jamie

v2.23.0 | Report a Bug | By Email