IETF Logo Mail Archive

Re: [hybi] CONNECT handshake text

Maciej Stachowiak <mjs@apple.com> Wed, 08 December 2010 20:14 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C86B3A69AC for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 12:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4MKBSLIowY5 for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 12:14:50 -0800 (PST)
Received: from mail-out4.apple.com (mail-out.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 53CF23A69A9 for <hybi@ietf.org>; Wed, 8 Dec 2010 12:14:50 -0800 (PST)
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id 4A30AC272B0F for <hybi@ietf.org>; Wed, 8 Dec 2010 12:16:18 -0800 (PST)
X-AuditID: 11807130-b7b9aae0000061eb-2f-4cffe79281db
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay11.apple.com (Apple SCV relay) with SMTP id 71.B1.25067.297EFFC4; Wed, 8 Dec 2010 12:16:18 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_f0taRPS0ltK4wsGEuo03ZQ)"
Received: from [17.246.16.23] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LD4005J1LN5IL40@elliott.apple.com> for hybi@ietf.org; Wed, 08 Dec 2010 12:16:18 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <AANLkTimWpLUFuNR62Titix5WyJumnJg7rKXty1yX7G6O@mail.gmail.com>
Date: Wed, 08 Dec 2010 11:26:38 -0800
Message-id: <2AFC40EF-BC43-4709-8160-5476643CFC83@apple.com>
References: <AANLkTinEXHBeaUPo4gK2CHbq7ZHYnY2PE3Vb+Oi+K1NM@mail.gmail.com> <op.vnd6ijrzidj3kv@dhcp-190.linkoping.osa> <AANLkTimWpLUFuNR62Titix5WyJumnJg7rKXty1yX7G6O@mail.gmail.com>
To: ifette@google.com
X-Mailer: Apple Mail (2.1082)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi@ietf.org
Subject: Re: [hybi] CONNECT handshake text
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 20:14:51 -0000

On Dec 8, 2010, at 7:42 AM, Ian Fette (イアンフェッティ) wrote:

> 2010/12/8 Simon Pieters <simonp@opera.com>
> On Tue, 07 
> 
> 
> Fette                     Expires June 8, 2011                 [Page 25]
> %0CInternet-Draft           The WebSocket protocol            December 2010
> 
> 
> 
>   5.  If /secure/ is true, the user agent MUST perform a TLS handshake
>       over the connection.  If this fails (e.g. the server's
>       certificate could not be verified), then the user agent MUST fail
>       the WebSocket connection and abort the connection.  Otherwise,
>       all further communication on this channel MUST run through the
>       encrypted tunnel.  [RFC2246]
> 
>       User agents MUST use the Server Name Indication extension in the
>       TLS handshake.  [RFC4366]
> 
>   Once a connection to the server has been established (including a
>   connection via a proxy or over a TLS-encrypted tunnel), the client
>   MUST send a handshake to the server.  The handshake consists of a
>   CONNECT request, along with a list of required and optional headers.
>   The requirements for this handshake are as follows.
> 
>   1.   The handshake must be a valid HTTP request as specified by
>        [RFC2616].
> 
> The current draft says which bytes should be put on the wire exactly. I prefer the current draft over referencing RFC2616 since doing the latter makes many variations conforming which can cause interop problems.
> 
> 
> And this was a source of contention for many people.

I believe the contention was about restricting handshake parsing to reject the client handshake unless it meets very specific requirements which are tighter than the full syntax for an HTTP request.

I don't think anyone had a serious objection to restricting what the client may send to be a subset of RFC2616-compliant requests.

I believe it is actively harmful to give client implementations an extra degree of freedom here, and there is no particular benefit to the extra flexibility.

In other words, make the generation of the client handshake precise, and let the server parsing be flexible (to the degree that is compatible with security requirements).

Regards,
Maciej

v2.23.0 | Report a Bug | By Email