SSCEP should perform non-idempotent calls using HTTP POST method instead GET
ateska opened this issue · 1 comments
ateska commented
Hi,
I noticed that the sscep v0.7.0 is using GET for e.g. "Certificate Enrolment/Renewal" call.
This is not recommended by HTTP itself and also there is a remark about that in "Simple Certificate Enrolment Protocol" draft-gutmann-scep-16.
...
Early SCEP drafts performed all communications via "GET" messages,
including non-idempotent ones that should have been sent via "POST"
messages, see [16] for details. This has caused problems because of
the way that the (supposedly) idempotent GET interacts with caches
and proxies, and because the extremely large GET requests created by
encoding CMS messages may be truncated in transit. These issues are
typically not visible when testing on a LAN, but crop up during
deployment over WANs. If the remote CA supports POST, the CMS-
encoded SCEP messages MUST be sent via HTTP POST instead of HTTP GET.
This applies to any SCEP message except GetCACert, GetNextCACert, and
GetCACaps, and avoids the need for base64- and URL-encoding
...
I propose considering switch to HTTP POST calls, as advised in the Protocol specifications.