Certificate support over UNIX socket

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Mar 17 04:36:47 PDT 2015


On Mon, Mar 16, 2015 at 9:25 PM, Claudio Luck <cluck at ethz.ch> wrote:
> Hi again,
> There is this comment about listen-clear-file in the sample config:
> # Accept connections using a socket file. It accepts HTTP
> # connections (i.e., without SSL/TLS unlike its TCP counterpart),
> # and uses it as the primary channel. That option cannot be
> # combined with certificate authentication.
> #listen-clear-file = /var/run/ocserv-conn.socket
> haproxy and nginx at least have the ability to pass the SSL certificates and
> the validation exit status as headers to the request while it is forwarded
> to the backend. In haproxy 1.5.7+ config speach:

I don't like much the idea of passing such kind of data in-band. It
will require to place lots of trust on our HTTP parser, and while it
looks quite nice code, it was not designed to avoid malicious attacks
on the HTTP header parsing. Does haproxy provide a way to obtain that
data out-of-band? In any case this is not currently high priority for
me, but if there is a clean patch I'll certainly consider adding it as
an experimental feature.

regards,
Nikos



More information about the openconnect-devel mailing list