Re: [regext] Comments to the feedback about epp-over-http

Mario Loffredo <mario.loffredo@iit.cnr.it> Thu, 31 March 2022 20:06 UTC

Return-Path: <mario.loffredo@iit.cnr.it>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 277743A07F1 for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 13:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLc72Mx5EPJE for <regext@ietfa.amsl.com>; Thu, 31 Mar 2022 13:05:57 -0700 (PDT)
Received: from smtp.iit.cnr.it (mx4.iit.cnr.it [146.48.58.11]) by ietfa.amsl.com (Postfix) with ESMTP id 08EFA3A08AE for <regext@ietf.org>; Thu, 31 Mar 2022 13:05:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.iit.cnr.it (Postfix) with ESMTP id D50F0B80B6C; Thu, 31 Mar 2022 22:05:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx4.iit.cnr.it
Received: from smtp.iit.cnr.it ([127.0.0.1]) by localhost (mx4.iit.cnr.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9j0WEoEkSpR0; Thu, 31 Mar 2022 22:05:16 +0200 (CEST)
Received: from [192.12.193.108] (pc-loffredo.staff.nic.it [192.12.193.108]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by smtp.iit.cnr.it (Postfix) with ESMTPSA id 9CC64B80B5A; Thu, 31 Mar 2022 22:05:16 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------dYHLlvBaoSohZD9sfzumnz01"
Message-ID: <c2bbe76c-4efd-4e92-3098-028291298001@iit.cnr.it>
Date: Thu, 31 Mar 2022 22:03:20 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
To: Francisco Obispo <francisco@unr.com>
Cc: regext@ietf.org
References: <0843A6FD-79B8-45B9-BE58-0BCED21C19B0@verisign.com> <1b87995b-700b-0d16-1241-c69cf142c3f7@iit.cnr.it> <8346151e-acc1-8e9a-f8ce-ac4d2f6a8dac@knipp.de> <759658bd-4781-a9cb-b7dd-88ba596fe2b0@iit.cnr.it> <58f622e5-1548-4894-a14c-c21125972a74@www.fastmail.com> <de81a129-68a4-8759-ee00-09ef2091ec22@iit.cnr.it> <6E923AA5-4027-4188-8DA3-6A93F39A3173@unr.com> <20457027-440b-02a5-82b8-3bef4e95819a@iit.cnr.it> <25E251B5-32D0-4E11-8383-F6CFFFD72CB8@unr.com>
From: Mario Loffredo <mario.loffredo@iit.cnr.it>
In-Reply-To: <25E251B5-32D0-4E11-8383-F6CFFFD72CB8@unr.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/7tINBM4QEIj9IVEytlVPPBhFTEg>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 20:06:03 -0000

Hi Francisco,

appreciated but:

1) The ssl variables in NGINX are different.

2) Even supposing to extract CN or SAN, as it seems one should do in 
NGINX via a regular expression, it doesn't necessarily correspond to the 
registrar username to access the EPP server.

3) I repeat: why should I complicate a solution to come to another that 
I consider less efficient?

Thanks again for the example that maybe will be useful in the future :-)

Best,

Mario


Il 31/03/2022 20:21, Francisco Obispo ha scritto:
>
> Something like this would work with HAproxy:
>
> https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
>
> Best,
>
>
> On 31 Mar 2022, at 11:14, Mario Loffredo wrote:
>
>     Hi Francisco,
>
>     Maybe we are complicating a bit (just to be polite) something that
>     would  be very easy if the server started every EPP session only
>     after a successful Login.
>
>     Anyway, just for curiosity, can you provide me with an example for
>     NGINX?
>
>     It doesn't sound so simple according to this post
>     <https://stackoverflow.com/questions/64810700/reading-client-certificate-details-with-nginx>
>
>     Best,
>
>     Mario
>
>
>     Il 31/03/2022 19:36, Francisco Obispo ha scritto:
>>
>>     In a scenario where a proxy/load balancer is terminating the TLS
>>     connection, it will most likely need to extract the certificate
>>     information, and encode it into a HTTP header, so that the
>>     backend could later tie the |clID| with the certificate in a way
>>     (i.e.: |cn|).
>>
>>     That's what I would do, to at least guarantee that the client
>>     certificate correspond to the |clID|.
>>
>>     Best,
>>
>>     On 31 Mar 2022, at 9:56, Mario Loffredo wrote:
>>
>>         Hi Patrick,
>>
>>         thanks for your interest.
>>
>>         Il 31/03/2022 17:54, Patrick Mevzek ha scritto:
>>
>>             On Thu, Mar 31, 2022, at 10:36, Mario Loffredo wrote:
>>
>>                 Starting an HTTP session when receiving an EPP
>>                 command other than the
>>                 Login command is in .it experience (but I can speak
>>                 on behalf of .pl
>>                 too) very inefficient because you can't immediately
>>                 lock the HTTP
>>                 session to the Registrar.
>>
>>             I disagree.
>>
>>             If the transport is HTTPS (and not just HTTP), the server
>>             can request
>>             the client to send a certificate, exactly as for EPP over
>>             TLS.
>>
>>             In such case, for *any* HTTP request coming to the
>>             server, the server
>>             theoretically already knows to which client this pertains
>>             as it can
>>             consult the certificate given.
>>
>>             It can be considered a weak or partial authentication,
>>             until the EPP login
>>             is successfully executed.
>>
>>         Are you talking about a signle server or a load balancing
>>         architecture where a proxy routes the requents to a pool of
>>         backend servers?
>>
>>         In addition, it is quite simple to do at socket level. It
>>         seems to me much more complicated at the servlet level.
>>
>>         Mario
>>
>>         --
>>         Dr. Mario Loffredo
>>         Technological Unit “Digital Innovation”
>>         Institute of Informatics and Telematics (IIT)
>>         National Research Council (CNR)
>>         via G. Moruzzi 1, I-56124 PISA, Italy
>>         Phone: +39.0503153497
>>         Web: http://www.iit.cnr.it/mario.loffredo
>>
>>         _______________________________________________
>>         regext mailing list
>>         regext@ietf.org
>>
>>         https://www.ietf.org/mailman/listinfo/regext
>>
>>
>>     _______________________________________________
>>     regext mailing list
>>     regext@ietf.org
>>     https://www.ietf.org/mailman/listinfo/regext
>
>     -- 
>     Dr. Mario Loffredo
>     Technological Unit “Digital Innovation”
>     Institute of Informatics and Telematics (IIT)
>     National Research Council (CNR)
>     via G. Moruzzi 1, I-56124 PISA, Italy
>     Phone: +39.0503153497
>     Web:http://www.iit.cnr.it/mario.loffredo
>
-- 
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo