Hello! On Mon, May 31, 2021 at 09:41:42PM +0200, Steffen Kieß wrote:
> On 31.05.21 18:36, Maxim Dounin wrote: > > > > Thanks for the patch. You may want to elaborate a bit more on how > > do you expect these variables to be used. > > > > [...] > > > > These variables can be used to implement authentication with channel > binding in an http application. [...] > I've attached a flask application + a client which shows how this can be > used, the required configuration in NGINX (when using fastcgi) is: So, you expect these variables to be used by application developers to implement some (currently not implemented) authentication with channel binding in HTTP, and that's the only use case you consider, correct? Note that HTTP provides no guarantees about channels, that is, connections, and trying to use channel binding is expected to break operation over HTTP, especially in complex setups when using proxies or reverse proxies, such as nginx. Further, invalid assumptions about guarantees in HTTP can easily cause security issues, by incorrectly authenticating unrelated requests on the connection. Basically the same set of issues as already seen with Microsoft's mis-designed NTLM authentication which doesn't work through proxies. Given that, it might not be a good idea to provide such variables. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
