https://issues.apache.org/bugzilla/show_bug.cgi?id=55458
Bug ID: 55458
Summary: allow to configure what mod_ssl responds when one
doesn't talk TLS/SSL to the port
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Hi.
As discussed in bug 55364 (see there for more info), and as Eric insisted on
yet another bug being opened for the "enhancement request", please implement
the following enhancement.
1) Users should be able to control what happens, when someone connects to a
https port, but doesn't speak TLS/SSL.
Right now, a HTTP 0.9 response and HTML is sent, which is problematic due to
not having even a Status code that indicates error.
If any RFC don't suggest anything else, I'd say that the best solution of
handling such a situation is simply closing the TCP connection, perhaps sending
some SSL/TLS error notification if that exists.
Anything else, might even be a security problem, when the client interprets the
content (which doesn't even have a Content-Type).
2) Due to the (to my knowledge) non-standardish behaviour in sending a
HTTP/HTML response in that situation,... and due to possible security issues
with that, one can easily think of,... the "new" behaviour of responding
nothing (or an SSL/TLS error indicator - if such thing exists) should be made
default.
Cheers,
Chris.
PS: In principle the proper severity for this is rather major, since it might
have security implications.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
