Token Binding for the Apache webserver (part 2)

Last year I blogged about some experiments with Token Binding support for the Apache webserver here. Token Binding essentially secures cookies by binding them to an HTTPs connection so they can’t be used or replayed outside of that connection. Recently I went a bit further on that and developed an Apache module that implements Token Binding here:

The Token Binding module verifies the token binding material from the TLS connection and the HTTP headers. It then sets environment variables with the results of that verification so that other modules can use that to bind their cookies to the so-called Token Binding ID. As mentioned before, mod_auth_openidc would greatly benefit from such a feature, hence I’ve added support for Token Binding to release 2.2.0. Both “state” and “session” cookies can be bound to the TLS connection now.

But it is not just “co-located” modules that may benefit from the Token Binding termination that can be done with an Apache server now. There’s a work-in-progress by Brian Campbell on exposing Token Binding information to backend services via headers using the Apache server as a Reverse Proxy in front of those services. An implementation of this proposal via one of the environment variables set by mod_token_binding is as easy as using mod_headers with the following snippet in your HTTPd config:

RequestHeader set Token-Binding-Context "%{Token-Binding-Context}e"

Support for Token Binding depends on the user’s browser but it is available in recent versions of Chrome and Edge. I.e. in Chrome one can enable it by setting the flag chrome://flags/#enable-token-binding to “Enabled”.

The server-side prerequisites are: OpenSSL 1.1.x with a one-line patch, an Apache 2.4.x mod_ssl patched for handling the TLS token binding extension and Google’s token_bind library with a patch that I’ve created a pull request for. If you’re interested in prototyping this, the README should get you started. There’s a sample Docker image to get you to a quick functional server setup with all of the prerequisites listed above. Feel free to open an issue on the Github project if you have any feedback or questions.

PS: ping me for a binary package or a link to a running test instance.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s