> Le 30 nov. 2017 à 13:34, Olivier Houchard <[email protected]> a écrit : > > Hi Emmanuel, > > On Thu, Nov 30, 2017 at 12:15:37PM +0100, Emmanuel Hocdet wrote: >> Hi Olivier, >> >>> Le 29 nov. 2017 à 19:57, Olivier Houchard <[email protected]> a écrit : >>> >>> On Mon, Nov 27, 2017 at 06:19:41PM +0100, Emmanuel Hocdet wrote: >>>>> Maybe the best is to add a new flag per conn_stream, CS_FL_WAITING_FOR_HS >>>>> or >>>>> something, instead of relying on CO_FL_EARLY_DATA. >>>>> I think I'm going to do something like that. >>>> >>>> I think it's a good idea, two different things to deal with one tag. >>>> >>>>> That still doesn't help with your problem with TCP mode, though. I still >>>>> want >>>>> the CO_FL_EARLY_DATA to be removed after the handshake, so that we don't >>>>> add the "Early-Data: 1" header if it is not needed. But it just occured >>>>> to me that I can easily fix that by adding the header, not only if >>>>> CO_FL_EARLY_DATA is set, but if CO_FL_EARLY_SSL_HS or CO_FL_SSL_WAIT_HS >>>>> is set. >>>>> That way we will both be happy :) >>>> >>> >>> So, this if my first cut at it. It basically does as I said. >>> Only thing you may be unhappy with, I made the sample fetch ssl_fc_has_early >>> return 0 if we had early data but the handshake happened, because the main >>> use case is to know if there are early data and if they're a potential >>> security risk. >>> If you can give me a case where we have a need a sample fetch to know there >>> were early data, even after the handshake, maybe we can introduce a new >>> sample fetch, ssl_fc_has_insecure_early, or something ? >>> >> >> In this case, i don’t understand the interest of ssl_fc_has_early. >> >> looking at the documentation >> ssl_fc_has_early : boolean >> Returns true if early data were sent, and the handshake didn't happen yet. >> As >> it has security implications, it is useful to be able to refuse those, or >> wait until the handshake happened. >> >> ssl_fc_* can be used after the front connection at ssl level: handshake will >> be finished at this time. >> ssl_fc_has_early should be: returns true if early data were sent and >> accepted in ssl level. (425 return is http level) >> >> What the description makes me think, and understand what you said, is that >> it could be a « ssl_hs_has_early ». >> I’m very interesting to have acl on hs negotiation, i don't know how to do >> that now in haproxy. >> > > No, sls_fc_has_early can be used before the handshake happened. If we > received early data, the request will be treated before the handshake (and > potentially the answer from the server will be sent before the handshake is > done). So ssl_fc_has_early is there to be able to stop any "dangerous" > request. >
My fault, i don’t read the doc of ssl_fc_has_early: as user it confused me on the meaning and usage. What i mean is about the name of the prefix ssl_fc* ssl front connection. All ssl_fc_* can be used in log-format because is valid after the end of HS. ssl_fc_has_early is the first _fc_ with a different behavior and is not PoLA : ssl_fc_has_early can be used in http mode but it can false report in log-format, and is useless in tcp mode? but it’s ssl_fc_* ... Technically, with early HS, we have new informations who can changed after the HS. I think such informations deserves a new prefix for sample. ( ssl_fhs_* ?) For exemple, it could be used for acl in early HS (of course in http mode and perhaps one day in tcp mode). ++ Manu
