RE: [openssl-dev] [openssl.org #4145] Enhancement: patch to support s_client -starttls http

Wed, 18 Nov 2015 03:20:08 -0800 

                Hi William,

 

Is any commonly used client actually implementing this spec in a way that makes 
this RFC relevant for httpd?

 

Sure we could implement this… Perhaps we already did but once you switch to TLS 
there are so many security related things to account for.

 

Ignoring the server certificate case, what about SNI and ALPN?

 

Is there really a specific upgrade to tls/1.0, 1.1 and 1.2. Or is one upgrade 
enough as the handshake does the rest.

 

Does this also allow switching to http/2 in one step via ALPN?

 

Or is that explicitly forbidden?

 

                Bert

 

From: William A Rowe Jr [mailto:[email protected]] 
Sent: woensdag 18 november 2015 01:10
To: httpd <[email protected]>
Subject: Fwd: [openssl-dev] [openssl.org #4145] Enhancement: patch to support 
s_client -starttls http

 

I'm fairly certain this will be applied to 1.1.0 and not necessarily

backported to 1.0.2, so this hack might be useful to some of you 

who want to test for the preservation of the SSLEngine optional 

Upgrade: TLS/1.0 behavior on trunk and 2.4.x branch...

 

 

 

---------- Forwarded message ----------
From: William A. Rowe Jr. via RT <[email protected] <mailto:[email protected]> >
Date: Tue, Nov 17, 2015 at 5:26 PM
Subject: [openssl-dev] [openssl.org <http://openssl.org>  #4145] Enhancement: 
patch to support s_client -starttls http
To: 
Cc: [email protected] <mailto:[email protected]> 



RFC 2817 defines upgrading HTTP/1.1 to TLS (or SSL).

Because Apache httpd supports Connection: Upgrade and Upgrade: TLS/1.x I've
gone ahead and instrumented s_client to support this behavior (and noted a
small optimization in the same logic stream for starttls support).

Attached is the patch to introduce this behavior.  It is a bit crufty, but
lacking a CUPS client that did connection upgrade to TLS, I needed
something for testing and experimentation.

I don't know that there is a justification for implementing Upgrade: h2
since this is a binary protocol that is not conducive to terminal mode :)

Source licensed by me under the OpenSSL license at
https://www.openssl.org/source/license.txt - don't see a need for a CLA,
but email me privately if so.


_______________________________________________
openssl-bugs-mod mailing list
[email protected] <mailto:[email protected]> 
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to