SSL vs. Server Protection Service

0 views
Skip to first unread message

Ray Davis

unread,
Jul 22, 2011, 2:36:43 PM7/22/11
to UI-Dev, sakai-kernel
At UC Berkeley, we have Apache httpd in front of our OAE application.

Application port, outside world = https://XXX.berkeley.edu:443
Untrusted content port, outside world = https://XXX.berkeley.edu:9443

Application port when Nakamura sees the request = http://XXX.berkeley.edu:80
Untrusted content port when Nakamura sees the request =
http://XXX.berkeley.edu:9443

So...

1. Request comes in for a download:
https://XXX.berkeley.edu/p/h9G5hCgOaa/git.txt

2. Server Protection service says "O NOES!!" and constructs an HMAC and
redirect to:
https://XXX.berkeley.edu:9443/p/h9G5hCgOaa/git.txt

3. The redirected request shows up at:
http://XXX.berkeley.edu:9443/p/h9G5hCgOaa/git.txt?:hmac=XXXX

4. Server Protection service builds a test HMAC based on the incoming
URL ("http" instead of "https") and compares it to the original HMAC
("https" instead of "http").

5. Server Protections service says no dice.

Anyone else dealing with this scenario?

Thanks,
Ray

Ray Davis

unread,
Jul 22, 2011, 5:00:41 PM7/22/11
to sakai-...@collab.sakaiproject.org, sakai-kernel
I'd say it was relevant to others. Here's the commit Ian refers to:
https://github.com/ieb/open-experiments/commit/5340eb0f34308b23d92a3362a149f090275e3355#bundles/http

I was just working on a patch of my own which would let the outgoing
redirect host differ from the incoming redirected request, but your
protocol stripping might be sufficient (and it would be nice not to add
another configuration property to ServerProtectionServiceImpl). Anyway,
JIRA coming up first....

Best,
Ray

On 7/22/11 1:38 PM, Ian Boston wrote:
> Thank you for sharing your config, you will find a patch for the problem in my project branch. I had not pushed it, since I was not certain is was relevant to others.
>
> Hth
> Ian
>
> Sent from my iPhone

>> _______________________________________________
>> sakai-ui-dev mailing list
>> sakai-...@collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-ui-dev
> _______________________________________________
> sakai-ui-dev mailing list
> sakai-...@collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-ui-dev
>

Ray Davis

unread,
Jul 22, 2011, 6:58:52 PM7/22/11
to Sakai UI Development, sakai-kernel
https://jira.sakaiproject.org/browse/KERN-2088

I'm currently testing my patch to support the more flexible scenario --
pull request coming soon, I hope.

Best,
Ray

Reply all
Reply to author
Forward
0 new messages