IETF Logo Mail Archive

Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

Vladimir Dzhuvinov <vladimir@connect2id.com> Thu, 31 October 2019 11:26 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4F3120142 for <oauth@ietfa.amsl.com>; Thu, 31 Oct 2019 04:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMhNUtP_Yxn4 for <oauth@ietfa.amsl.com>; Thu, 31 Oct 2019 04:26:03 -0700 (PDT)
Received: from p3plsmtpa09-07.prod.phx3.secureserver.net (p3plsmtpa09-07.prod.phx3.secureserver.net [173.201.193.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E8C612001E for <oauth@ietf.org>; Thu, 31 Oct 2019 04:26:03 -0700 (PDT)
Received: from [192.168.0.102] ([94.155.17.54]) by :SMTPAUTH: with ESMTPSA id Q8aUii6363heuQ8aXi3FwW; Thu, 31 Oct 2019 04:26:02 -0700
To: "oauth@ietf.org" <oauth@ietf.org>
References: <85D42AA1-FF57-4383-BACB-57C5AA32CFAC@lodderstedt.net> <20191021020546.GZ43312@kduck.mit.edu> <CA+k3eCS7pf3wXBkpbXE0AXKUGogo0YcHd8oWfiBfkPB5axGQQw@mail.gmail.com> <8A8B8892-9D16-4210-BC13-47B5D7859976@mit.edu> <20191024170326.GO69013@kduck.mit.edu> <CAGL6epJZtTXKSGFj0BfhF3kd_Z-z2xzOWXOPEKXc5m18Z4L1uA@mail.gmail.com> <CA+k3eCS8VuCfy4XeqYmLuuLK=rLvHsonSZj4i9O11U-mcua9Pg@mail.gmail.com> <CAGL6epKTV5hXqm2-qgUyG-iA90eLu49GjOKeyLcfsn2naTSV5w@mail.gmail.com> <CA+k3eCQ87n4m--nBc+PX7qE727fqA6vM=meEJZxwfnbpJ2dOsw@mail.gmail.com> <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com> <CA+k3eCQbku0V6z2wCM084FW342dY6=_H7mEv6U3sHCDgefkxXA@mail.gmail.com> <E03CD445-39E8-4262-97BE-E0EE11231A63@forgerock.com> <2B2ACEE8-7B48-4E2D-94DA-AF3DA86DE809@mit.edu> <CA+k3eCRmmZJQjk-WGmpYZeyTvQR0SttRUZeh7FDT-=ikzOUwAA@mail.gmail.com> <d2dd4b24-a7d5-5080-4ddc-05e9a742d5d3@connect2id.com> <CA+iA6uiCu8KZM8xpxqxuF4cGR-n53c=w03-h9Ja1rpVsg0goQg@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Openpgp: preference=signencrypt
Organization: Connect2id Ltd.
Message-ID: <6535fb8b-89fd-9499-ebf6-e8c6e5542fcc@connect2id.com>
Date: Thu, 31 Oct 2019 13:25:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CA+iA6uiCu8KZM8xpxqxuF4cGR-n53c=w03-h9Ja1rpVsg0goQg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9D7F0DEFFF4C959964304F95"
Content-Language: en-US
X-CMAE-Envelope: MS4wfAntFSfCUt1ev6VNT8sT6k5Wc9cMYUd0Vflc8iKN4J/Y2y6LMYVhG7noXw2LXtZ2hufyHAnQRc+ubiEm9+An67UdcHverZSiZbyki9rlcFMaZcvRuGOf DFn03YgYWgMsh3s4yHqg+TFYMmv4k17AwDEIl48brGIAgC9l+PEz4fl0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yho0Fzr_fk21hy0f-uBapsc7-bA>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 11:26:05 -0000

This is a good story.

How about requiring reverse proxies to automatically scrub all inbound
HTTP headers that start with "Sec-"?

If a sec header has the format "Sec-[NAME]-[random-chars]" we get:

* The "Sec-" prefix will  cause new compliant reserve proxies to
automatically scrub the inbound HTTP header.

* The NAME part still makes the header easily identifiable (I think Rich
Salz had this concern).

* The random chars part, potentially optional, will provide a line of
defence against config errors in old legacy reverse proxies.

All concerns should then get covered.

Vladimir

On 31/10/2019 12:48, Hans Zandbelt wrote:
> the way I see this is that stripping and setting the headers must be
> part of the implementation of the protocol itself, it should not be
> something left to a non-atomic piece of configuration by an
> administrator; I implemented it like this in the Apache implementation
> of Brian's TTRP spec [1] and have been doing this for the OIDC and
> OAuth Apache modules that set headers for backends to consume [2]; and
> yes, I have made mistakes [3], but IMHO it should not be a problem to
> use a well known header and make the implementer (not the admin) get
> it right by pointing this out in the spec, as is done for many other
> pitfalls
>
> Hans.
>
> [1] https://github.com/zmartzone/mod_token_binding/blob/master/src/mod_token_binding.c#L481-L483
> [2] https://github.com/zmartzone/mod_auth_openidc/blob/master/src/mod_auth_openidc.c#L164-L175
> [3] https://www.cvedetails.com/cve/CVE-2017-6413/
>
> On Thu, Oct 31, 2019 at 11:37 AM Vladimir Dzhuvinov
> <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote:
>
>>     All in all, I am in favor of this being defined in one standard
>>     way, in addition to secure communication between proxies and
>>     backends being standardized — but this latter bit really seems
>>     like a separate problem.
>>
>>      — Justin
>
>     -1 for devising a well known header
>
>     +1 for a simple way to authenticate a reverse proxy with a web server
>
>     With a well known name, in a attack this will get probed first.
>     The well known header name doesn't guarantee a correct config. And
>     if we have a new standard for sec headers that must be stripped
>     automatically from inbound HTTP requests, we cannot expect that
>     will get implemented in all reverse proxy software overnight.
>
>     Because a correct config is not practical as the only line of
>     defense, when we implemented mTLS we decided to add a length (>=
>     32 chars) and randomness check to the header config. I saw some
>     concerns that this may cause deployment issues. Nobody has
>     complained about that so far.
>
>     https://connect2id.com/products/server/docs/config/core#op-tls-clientX509CertHeader
>
>     Regarding mistyping, this can be an issue, but has little to no
>     effect if a long random header gets misstyped (from the inbound
>     strip directive). With a well known header this will result in a
>     immediate security hole, which can theoretically go unnoticed.
>
>     Here is an example Apache httpd config, to illustrate my point:
>
>     RequestHeader set Sec-Client-X509-Cert-liede5vaePeeMiYie0xu2jaudauleing ""
>     RequestHeader set Sec-Client-X509-Cert-liede5vaePeeMiYie0xu2jaudauleing "%{SSL_CLIENT_CERT}s"
>
>     (the first line strips the inbound headers)
>
>
>     Vladimir
>
>     -- 
>     Vladimir Dzhuvinov
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> -- 
> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>

-- 
Vladimir Dzhuvinov

v2.23.0 | Report a Bug | By Email