来自 nginx 的 $ssl_early_data:应用程序应该以某种方式使用它吗? [英] $ssl_early_data from nginx: should the application use it somehow?

问题描述

我正准备开启 nginx ssl_early_data 以启用带有 TLS 1.3 的 RTT-0.

I'm preparing to turn on nginx ssl_early_data to enable RTT-0 with TLS 1.3.

我明白，如果我做得不对，重放攻击成为可能.我知道，为了防止这种情况，您还需要使用 $ssl_early_data

I understand that, if I don't do it right, replay attacks become possible. I understand that, to prevent this, you need to also use $ssl_early_data

在早期数据中发送的请求会受到重放攻击.至在应用层防范此类攻击，应该使用 $ssl_early_data 变量.

Requests sent within early data are subject to replay attacks. To protect against such attacks at the application layer, the $ssl_early_data variable should be used.

我不明白的是，将这个指令放在 nginx 配置中是否就足够了，或者我服务器上的 PHP 应用程序是否/如何以某种方式使用这个 $ssl_early_data 变量并做一些额外的检查.

What I don't understand is if it's enough to put this directive in the nginx configuration or if/how the PHP application on my server should somehow use this $ssl_early_data variable and do some additional checks.

推荐答案

你说得对，这个头文件本身没有任何作用，你的 PHP 应用程序需要额外的逻辑.

You are correct that this header itself doesn't do anything, you need additional logic in your PHP application.

就我而言，我使用的是 fastcgi 变量而不是标题:

In my case I'm using a fastcgi variable rather than a header:

fastcgi_param  TLS_EARLY_DATA     $ssl_early_data;

然后在 PHP 中，您需要检查任何有重放攻击风险的请求:

Then in PHP you need to perform a check for any request that is at risk for a replay attack:

if ($_SERVER['TLS_EARLY_DATA'] === '1') {
    http_response_code(425);
    exit;
}

您需要对需要重放保护的所有内容进行此类检查(例如，POST/transfer_money).

You need this sort of check on everything you want Replay protection on (eg. POST /transfer_money).

虽然您可以将它放在没有副作用的地方(例如 GET/account_balance).

While you can leave it off of something that has no side effects (eg. GET /account_balance).

因为攻击者无法解码重放中的有效载荷，所以 GET 没有牙齿，您可以允许这些请求使用 TLS Early Data.

Because the attacker cannot decode the payload in the replay, the GET has no teeth and you can allow those requests to use TLS Early Data.

最后，大多数浏览器还不支持 HTTP 425 太早，所以我强烈建议返回一个错误页面，告诉他们刷新并重新提交".表格.

Finally, most browsers do not yet have support for a HTTP 425 Too Early so I would strongly recommend returning an error page telling them to "Refresh and resubmit" the form.

随着浏览器支持的改进，看到错误页面的人越来越少，浏览器会透明地处理 425 错误，但我们还没有做到.

As browser support improves, fewer people will see that error page and browsers will handle 425 errors transparently, but we are not there yet.

425 太早了"目前支持:

"425 Too Early" is currently supported in:

• Firefox 58+

您可以在此处跟踪其他浏览器:

And you can track other browsers here:

• Chrome &朋友
• 尚无 Safari 错误

这篇关于来自 nginx 的 $ssl_early_data:应用程序应该以某种方式使用它吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！