[websec] Question regarding RFC 6797
"Ben Andrews (beandrew)" <beandrew@cisco.com> Tue, 13 November 2018 23:47 UTC
Return-Path: <beandrew@cisco.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DC78130DF9 for <websec@ietfa.amsl.com>; Tue, 13 Nov 2018 15:47:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fEb4d3S-hbXz for <websec@ietfa.amsl.com>; Tue, 13 Nov 2018 15:47:45 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67D50130DF1 for <websec@ietf.org>; Tue, 13 Nov 2018 15:47:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15598; q=dns/txt; s=iport; t=1542152865; x=1543362465; h=from:to:cc:subject:date:message-id:mime-version; bh=FX9AdCsnZfJqk+tQUtWefGGlakYY1NOLhyjUEAnv+nY=; b=hBglB+MZ3Wo1jZ5eb14t8aaCdRlRPYI5DJFFel3HjUIR8NhP4dsBeOER 0i9hshMAhwdJPEmMI1gn2ba29n30xL2EFg1sZhx/qE0LB/NbUwZanW9g0 DrfSRYBB5alVkThX18klJI2BBecr4RCr9sHffAi2qzz5Zj3l9Oe/hTIC5 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AEAAC6Yetb/4gNJK1hAxoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgQ1ILmaBAicKhFCHNot8k26FVBSBZgsBASOESYM+IjQNDQEDAQECAQECbRwBC4VuTA4EAUciFxQSAQQOBQiDGoEdZA+qFYolBQWLfReBQD+BEAGEU4FaAQECAYErARIBCRxBhRQCiHCFfpATVQkCgWGFFIojIIFYhQSKF4lag06KLgIRFIEmHThkcXAVgyeGCIUUhT5BMQGLOoEfgR8BAQ
X-IronPort-AV: E=Sophos;i="5.56,230,1539648000"; d="scan'208,217";a="481074829"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2018 23:47:43 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id wADNlh61017819 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <websec@ietf.org>; Tue, 13 Nov 2018 23:47:43 GMT
Received: from xch-aln-005.cisco.com (173.36.7.15) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 13 Nov 2018 17:47:42 -0600
Received: from xch-aln-005.cisco.com ([173.36.7.15]) by XCH-ALN-005.cisco.com ([173.36.7.15]) with mapi id 15.00.1395.000; Tue, 13 Nov 2018 17:47:42 -0600
From: "Ben Andrews (beandrew)" <beandrew@cisco.com>
To: "websec@ietf.org" <websec@ietf.org>
CC: "Darren McKinnon (darmckin)" <darmckin@cisco.com>
Thread-Topic: Question regarding RFC 6797
Thread-Index: AdR6wiwG2dbwAoTgTByzf5RIQikPIg==
Date: Tue, 13 Nov 2018 23:47:42 +0000
Message-ID: <879670c11a604e03b7d1f9e8ed0888d9@XCH-ALN-005.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.18.252.170]
Content-Type: multipart/alternative; boundary="_000_879670c11a604e03b7d1f9e8ed0888d9XCHALN005ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.20, xch-aln-010.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/sjOAnpf2_a0fJ9GAbMsApj5SyXk>
X-Mailman-Approved-At: Fri, 16 Nov 2018 23:27:30 -0800
Subject: [websec] Question regarding RFC 6797
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2018 00:01:37 -0000
To whom it may concern, I'm not sure if this is the best way to get this answer, but I'm looking for some clarification as to what is the correct behavior for HSTS when you have a web service on ServerA that is then proxied by ServerB, and both hosts have HSTS enabled. This question was spurred by a customer who open up a case stating that SSLLabs was reporting that their site was reporting our HSTS implementation was invalid because it had more than one HSTS header. - The customer (and SSLLabs) reasoning comes from Section 7.1 where it states that "If an STS header field is included, the HSTS Host MUST include only one such header field." https://tools.ietf.org/html/rfc6797#section-7.1 * It's definitely clear that an individual HSTS Host should never add two HSTS headers to the packet. * What isn't clear to me is what happens when you have two HSTS hosts involved in the connection especially since that same section specifies the following which implies that any HSTS should add an HSTS header if it is responding to a secure HTTP request. "When replying to an HTTP request that was conveyed over a secure transport, an HSTS Host SHOULD include in its response message an STS header field that MUST satisfy the grammar specified above in Section 6.1". - However, when you look at both Section 8.1 and Appendix A it's defining specific behaviors for when there are more than one HSTS host/header which insinuates that having more than one header is not actually invalid. https://tools.ietf.org/html/rfc6797#section-8.1 "If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field." * This statement especially specifically defines the UA's behavior when it receives more than one HSTS header is received. Was this intended simply to avoid errors, or was the behavior described specifically to support situations when you might have more than one HSTS header? https://tools.ietf.org/html/rfc6797#appendix-A "An HSTS Host may update UA notions of HSTS Policy via new HSTS header field parameter values. We chose to have UAs honor the "freshest" information received from a server because there is the chance of a web site sending out an erroneous HSTS Policy, such as a multi-year max-age value, and/or an incorrect includeSubDomains directive." For example, if you have 2x HSTS Hosts involved in a connection, once source HTTP server (ServerA) on the corporate network and one proxy server (ServerB) for external users to reach the HTTP server. What would be the correct behavior when ServerB receives an HTTPS packet from ServerA with an existing HSTS header that it is supposed to proxy to the UA: A) ServerB should include its own HSTS header as the second header since it was the second host to add the HSTS header to the HTTP packet. B) ServerB should include its own HSTS header as the first header since it's the "freshest" information. C) ServerB should update the existing HSTS header field with any updated HSTS header parameters/directives. D) ServerB should include its own HSTS header overwriting ServerA's HSTS header completely E) ServerB should forward ServerA's HSTS header without modifying the HSTS header in any way. This question regarding the behavior of HSTS in non-transparent proxy situations also brings up the question of what happens when that proxy server's purpose is to transform an external routable domain to an internal only domain. Assuming an error-free secure transport, would the UA add the domain it used to reach the proxy or if it's aware of the internal domain should it add the internal domain instead since that was the original source of the content? This specifically would be an extremely fringe situation that wouldn't apply to most use cases. Not to mention it likely would fall outside of the scope of this RFC especially after reading the rationale within Section 14.3 and Appendix A, but it definitely would be a situation where more guidance on the expected behavior with HSTS in proxy situations could be useful. Please let me know if you have any further comments, questions, issues, or concerns. Kind regards, Ben Andrews Cisco TAC Business Hours: 09:30-17:30 EST M - F Tel: (919)574-6712 Email: beandrew@cisco.com<mailto:beandrew@cisco.com> Direct Manager: Chris Myers Phone: (919) 574-5319 Email: chrimyer@cisco.com<mailto:chrimyer@cisco.com> CIN contact numbers are: North America +1 800 553 2447 Asia-Pacific +61 2 8448 7107 Australia +1 800 805 227 Europe +32 2 704 5555 UK +44 800 960 547 Case uploader: https://cway.cisco.com/csc/
- [websec] Question regarding RFC 6797 Ben Andrews (beandrew)
- Re: [websec] Question regarding RFC 6797 Mehner, Carl