Le 2016-04-13 10:56, Edouard Chamillard a écrit :
> donc la plupart des boites serieuses ont un proxy en MITM, capable de > lire un en tete SNI ou un champ Server: (et pas un FQDN, a part si ton > proxy fait aussi la résolution dns (ce que certains font)). > effectivement ça méritait de parler de deux types d'équipement. Pourquoi faire si compliqué ? La RFC 2817 (qui date de 2000) prévoit que seul le CONNECT doit passer en HTTP/1.1. Là le proxy peut accepter ou refuser la connexion en fonction du domaine demandé dans le CONNECT. En cas d'acceptation le client peut demander un upgrade (passage en HTTPS) et établir un tunnel TLS directement avec le serveur distant, tunnel qui n'est pas intercepté et qui permet de conserver authentification X.509 légitime. https://tools.ietf.org/rfc/rfc2817 5. Upgrade across Proxies As a hop-by-hop header, Upgrade is negotiated between each pair of HTTP counterparties. If a User Agent sends a request with an Upgrade header to a proxy, it is requesting a change to the protocol between itself and the proxy, not an end-to-end change. Since TLS, in particular, requires end-to-end connectivity to provide authentication and prevent man-in-the-middle attacks, this memo specifies the CONNECT method to establish a tunnel across proxies. Once a tunnel is established, any of the operations in Section 3 can be used to establish a TLS connection. 5.2 Requesting a Tunnel with CONNECT A CONNECT method requests that a proxy establish a tunnel connection on its behalf. The Request-URI portion of the Request-Line is always an 'authority' as defined by URI Generic Syntax [2], which is to say the host name and port number destination of the requested connection separated by a colon: CONNECT server.example.com:80 HTTP/1.1 Host: server.example.com:80 Other HTTP mechanisms can be used normally with the CONNECT method -- except end-to-end protocol Upgrade requests, of course, since the tunnel must be established first. For example, proxy authentication might be used to establish the authority to create a tunnel: CONNECT server.example.com:80 HTTP/1.1 Host: server.example.com:80 Proxy-Authorization: basic aGVsbG86d29ybGQ= Like any other pipelined HTTP/1.1 request, data to be tunneled may be sent immediately after the blank line. The usual caveats also apply: data may be discarded if the eventual response is negative, and the connection may be reset with no response if more than one TCP segment is outstanding. --------------------------- Liste de diffusion du FRnOG http://www.frnog.org/
