> -----Original Message-----
> From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 10, 2001 1:07 PM
> To: Geoffrey Young
> Cc: [EMAIL PROTECTED]
> Subject: Re: detecting ssl
>
>
> > > -----Original Message-----
> > > From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, July 10, 2001 10:44 AM
> > > To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: detecting ssl
> > >
> > >
> > > Not necessarily. I could easily set up any virtualhost on
> > > port 443 which
> > > will be accessable by https://nasty.servername/ but will, in
> > > reality, not
> > > necessarily be over a secure connection.
> >
> > what would negotiate the https protocol then? its not like
> you can just
> set
> > up to listen on 443, make
> > a an http request, and Apache will serve it - at least not through a
> browser
> > or telnet.
>
> Of course it will!!!
whoops, I meant an https request - of course you can listen on any port you
want for plain http.
[snip]
> Also,
> if I'd use a
> simple client that just used https as port 443 without
> automatically trying
> to use a secure layer (which is actually proper...), I could even grab
> https:// from the URI request.
ok, I'm not claiming to be an ssl expert, so how would one do that? if I do
telnet my.ssl-enabled.server 443
GET / HTTP/1.0
I get 400 - BAD_REQUEST. something has to negotiate the https layer, no?
I've been searching for documentation, but all I can find is the TLS spec,
which says that TLS is relegated to the scheme of 'https', so pointers to
something useful would probably be good (for all :)
>
> The ONLY safe way, is to use mod_ssl to tell you you're using
> it. Consider
> a comparison: assuming you're using mod_perl by grepping the
> server info for
> mod_perl/x.xx rather than checking $ENV{MOD_PERL}
understood
--Geoff
