> > > > -----Original Message-----
> > > > From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, July 10, 2001 10:44 AM
> > > > To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
> > > > Cc: [EMAIL PROTECTED]
> > > > Subject: Re: detecting ssl
> > > >
> > > >
> > > > Not necessarily. I could easily set up any virtualhost on
> > > > port 443 which
> > > > will be accessable by https://nasty.servername/ but will, in
> > > > reality, not
> > > > necessarily be over a secure connection.
> > >
> > > what would negotiate the https protocol then? its not like
> > you can just
> > set
> > > up to listen on 443, make
> > > a an http request, and Apache will serve it - at least not through a
> > browser
> > > or telnet.
> >
> > Of course it will!!!
>
> whoops, I meant an https request - of course you can listen on any port
you
> want for plain http.
Then, you are correct. Of course you could simply just pipe the telnet
session through stunnel, or openssl, or whatever - and work something out
like that. But the point is, then it really IS an HTTP request going over
SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really
doesn't say anything.
> [snip]
>
> > Also,
> > if I'd use a
> > simple client that just used https as port 443 without
> > automatically trying
> > to use a secure layer (which is actually proper...), I could even grab
> > https:// from the URI request.
>
> ok, I'm not claiming to be an ssl expert, so how would one do that? if I
do
>
> telnet my.ssl-enabled.server 443
> GET / HTTP/1.0
>
> I get 400 - BAD_REQUEST. something has to negotiate the https layer, no?
Of course. My point is that just because the server's listening on port
443, it doesn't necessarily mean it's using SSL. That's where the danger
is. By checking for $ENV{HTTPS}, you are eliminating that danger by
actually checking whether the individual requests are occuring over a secure
layer, rather than counting on the server and client to do what you would
expect them to - which is the worst mistake that we, as programmers, can
afford to make... :-)
> I've been searching for documentation, but all I can find is the TLS spec,
> which says that TLS is relegated to the scheme of 'https', so pointers to
> something useful would probably be good (for all :)
Umm... If the RFCs aren't helpful, you can try fooling around with (and
reading the man page for) openssl's s_client mode...
Issac
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
