On 11/08/2016 10:05 p.m., Erik Seres wrote: > Hi Amos, > > Thanks for the answers. After a bit of a delay, I’m getting back to > implementing this. However, I still have a couple of questions in line > below... > > Thanks, > Erik > > >> On 2016 Jun 1, at 08:44, Amos Jeffries wrote: >> >> On 30/05/2016 11:03 p.m., Erik Seres wrote: >>> Hi Willy and Amos, >>> >>> I think I am confused by what information is expected to go into the >>> PP2_TYPE_AUTHORITY field and how it would be a suitable substitute >>> for what SNI represents. >> >> PP2 is generic and needs to relay multiple protocols. >> >> Authority is a frequently used and generic thing holding a host:port or >> IP:port value representing the server for the protocol being relayed. >> >> SNI breakes the normal pattern used by other protocols and restricts its >> value to only being an FQDN. No port or raw-IP representation of the >> server permitted. >> >> >> The mapping is generic and works for any wrapper protocol TLS is >> transmitted over: >> >> When generating the authority from an SNI; >> * copy the SNI value into authority as-is, and >> * append the server port being contacted. > > How to decide when to use the SNI value vs. something else to populate > PP2_TYPE_AUTHORITY? For example, in case it is HTTP over TLS with both the > “Host:” HTTP header and the TLS SNI field provided, which would take > precedence over the other and make it into the PP2_TYPE_AUTHORITY field? What > to do in conflicting cases as you mentioned earlier? >
There is supposed to only be one authority with the same value in all places. So there should be no confusion over which of the same-valued fields to use. HTTP does possibly have port number and IP address which SNI can't store, so that is maybe better to use when you are sure they are the same otherwise. As to what to do when they are conflicting. That is tricky. Problems like CVE-2009-0801 which hit Squid some years back can happen if you use the wrong one. In Squid to solve that CVE we find it safer to drop all the uncertain authority name(s) and use only the IP address from the TCP level underneath - that can't be faked. So, IMHO it would make sense to do the same thing and not send PP2_TYPE_AUTHORITY at all if you are not certain its value is correct. It is optional after all. Amos
