IETF Logo Mail Archive

Re: [hybi] thewebsocketprotocol #4 (new): handshake does not work properly with HTTP reverse proxy.

"hybi issue tracker" <trac@tools.ietf.org> Sun, 17 October 2010 23:12 UTC

Return-Path: <trac@tools.ietf.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 967C83A6C2F for <hybi@core3.amsl.com>; Sun, 17 Oct 2010 16:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.57
X-Spam-Level:
X-Spam-Status: No, score=-102.57 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bS3kfcSZ2ToL for <hybi@core3.amsl.com>; Sun, 17 Oct 2010 16:12:13 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 250903A6A6A for <hybi@ietf.org>; Sun, 17 Oct 2010 16:12:13 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.72) (envelope-from <trac@tools.ietf.org>) id 1P7cPu-0001Bl-91; Sun, 17 Oct 2010 16:13:26 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: hybi issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: gregw@webtide.com, ian@hixie.ch, ifette@google.com, salvatore.loreto@ericsson.com, sm+ietf@elandsys.com
X-Trac-Project: hybi
Date: Sun, 17 Oct 2010 23:13:25 -0000
X-URL: http://tools.ietf.org/hybi/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/hybi/trac/ticket/4#comment:5
Message-ID: <077.eef8456e0dba2be0e43ce961a9f158d1@tools.ietf.org>
References: <068.da8db0c773647cb0ed73d576f39e93ee@tools.ietf.org>
X-Trac-Ticket-ID: 4
In-Reply-To: <068.da8db0c773647cb0ed73d576f39e93ee@tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: gregw@webtide.com, ian@hixie.ch, ifette@google.com, salvatore.loreto@ericsson.com, sm+ietf@elandsys.com, hybi@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: hybi@ietf.org
Subject: Re: [hybi] thewebsocketprotocol #4 (new): handshake does not work properly with HTTP reverse proxy.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Oct 2010 23:12:14 -0000

#4: handshake does not work properly with HTTP reverse proxy.


Comment(by gregw@…):

 I proposed fix for this issue was proposed and discussed in the thread
 http://www.ietf.org/mail-archive/web/hybi/current/msg04148.html

 Specifically that:

 * The unframed random bytes should not be sent by the client after the
 upgrade request. Instead all the random bytes that represent a client
 generate nonce should be sent as hex encoded header values in the upgrade
 request.
 * The server should receive and handle the upgrade request as entirely a
 HTTP requests.  If the connection is acceptable, then a 101 response
 should be sent.
 * Immediately following the 101 response, the server must send a PING ws
 frame (alternately a new HELLO frame), that contains a hash of the client
 nonce plus a newly generated server nonce. The server will start a timeout
 waiting for a response.
 * The server may start sending WS frames after the PING, but must do so
 with knowledge that the handshake is not complete and the client may still
 reject it.
 * The client will receive the 101 response.
 * The client will receive the PING WS frame (or HELLO) and will check the
 value of the hashed client nonce.
 * The client will send a PONG response (or HELLO) containing a hash of the
 server nonce.
 * The client will call the onopen function of the related websocket API.
 The client may now send and receive WS frames.
 * The server will receive the PONG (or HELLO) response and will check the
 hashed server nonce in that frame.
 * The server will notify its local application that the handshake has
 completed.


 There were some objections to this proposal, but mostly focused on
 security issues. The result of the discussion around these objections is
 that a CONNECT based handshake may be proposed, plus further advocacy of
 TLS/NPN approaches.

 The proposed changes to the upgrade handshake were further discussed in
   http://www.ietf.org/mail-archive/web/hybi/current/msg04401.html

 Proposed diffs will be coming next.

-- 
-------------------------------------------+--------------------------------
 Reporter:  salvatore.loreto@…             |       Owner:     
     Type:  defect                         |      Status:  new
 Priority:  critical                       |   Milestone:     
Component:  thewebsocketprotocol           |     Version:     
 Severity:  Active WG Document             |    Keywords:     
-------------------------------------------+--------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/hybi/trac/ticket/4#comment:5>
hybi <http://tools.ietf.org/hybi/>
The Hypertext-Bidirectional (HyBi) working group will seek
standardization of one approach to maintain bidirectional
communications between the HTTP client, server and intermediate
entities, which will provide more efficiency compared to the current
use of hanging requests.

v2.23.0 | Report a Bug | By Email