From:  Eric Rescorla <ekr@rtfm.com>
Date:  08 May 2017 05:51:03 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.tech.network
Subject:  

Re: Credentials and connection pools

NNTP-Posting-Host:  63.245.214.181

On Sun, May 7, 2017 at 2:46 PM, Patrick McManus 
wrote:

>  This is probably particular to TLS, as the windows auth stuff does apply
> more like http basic auth (it returns 401 to bootstrap things, rather than
> making a challenge at the session layer with a request in flight)
>
> wrt tls client auth I would think if the outstanding requests is marked
> anonymous we should not allow authentication to proceed if the server sends
> a helloRequest (and I have no idea whether we apply that check now or not -
> that code hasn't changed in forever) just because that's a nonsenica
> combinationl, right?  Again, seems like we can handle that as an
> implementation issue without drawing a bright line for 99% of the world
> that doesn't do connection based client auth and creating a burden on
> webdevs to get this junk right in markup.
>

I think you'd have to handle this by actually tearing down the connection
and re-initiating on another
one.

That said, I'm also worried that there are misguided servers which bind
HTTP-level authentication
to the TLS connection. Those servers are going to have a bad day if we
coalesce... Do we know
that there aren't any?

-Ekr


> On Sun, May 7, 2017 at 5:34 PM, Eric Rescorla  wrote:
>
>>
>>
>> On Sun, May 7, 2017 at 2:06 PM, Patrick McManus 
>> wrote:
>>
>>>
>>> On Sun, May 7, 2017 at 4:44 PM, Eric Rescorla  wrote:
>>>
>>>>
>>>> Hmm... What about when you have post-handshake auth that retroactively
>>>> blesses requests that should have been anonymous?
>>>>
>>>
>>>
>>> TLS client auth doesn't retroactively apply.
>>>
>>
>> Not sure I agree here. One of the standard idioms is that the server
>> receivesn
>> a a sensitive request, then sends HelloRequest, and then when the
>> handshake
>> completes, delivers the response.I would call that retroactive
>>
>> -Ekr
>>
>>
>>
>>
>>> so yeah, when I said every request on that conn I should have said every
>>> request on that conn while it is authenticated (and it can change and
>>> whatnot, not trying to write a taxonomy here.). windows auth has a similar
>>> property that it starts with an unauthenticated connection and a http
>>> response at any point could choose to start the authentication dance - but
>>> it doesn't apply backwards. You can see why the mulitplexing of h2 booted
>>> all this stuff off the island.
>>>
>>>
>>>
>>
>