On Sat, Aug 10, 2013 at 09:28:21PM +0200, Stefan Fritsch wrote: > What do you think of including a header? Is there a way to find out > from the encrypted traffic where the header ends and where the body > starts? See my other mail, which I have sent before reading this one, > unfortunately.
Eric is right, HTTP response headers are currently always a separate TLS message so the observer can simply discard the first message. It is simple to try harder to hide that in mod_ssl, at least with the coalesce filter, since the headers are just a brigade with a HEAP bucket, which mod_ssl can hang on to and merge with the response body before sending to OpenSSL. But in the case of a dynamically generated or proxied response it is likely we'll get a FLUSH directly after the headers' HEAP, as the handler waits for content. So in that case we'd have to push out a TLS message with just-the-headers anyway. After playing with code & tcpdumping, I'm a more sceptical we can do anything simple + effective without hurting performance, or at least be 99% confident we aren't hurting performance. Regards, Joe
