Thanks. Regards
Rüdiger > -----Ursprüngliche Nachricht----- > Von: Stefan Eissing <stefan.eiss...@greenbytes.de> > Gesendet: Donnerstag, 20. September 2018 11:58 > An: dev@httpd.apache.org > Betreff: Re: minor nit in mod_ssl > > Fair enough. Done in r1841455. > > > Am 20.09.2018 um 11:53 schrieb Plüm, Rüdiger, Vodafone Group > <ruediger.pl...@vodafone.com>: > > > > Correct, but the issue is that as an admin you do not always get the > error page that a client sees and you have to search for the cause > without. > > Especially in this case as non SNI clients are often not browsers but > non interactive programs. > > > > Regards > > > > Rüdiger > > > >> -----Ursprüngliche Nachricht----- > >> Von: Stefan Eissing <stefan.eiss...@greenbytes.de> > >> Gesendet: Donnerstag, 20. September 2018 11:46 > >> An: dev@httpd.apache.org > >> Betreff: Re: minor nit in mod_ssl > >> > >> I am not opposed. However, there is an explanation added to the > request > >> error notes, which normally appears in the 403 response if I am not > >> mistaken? > >> > >> -Stefan > >> > >>> Am 20.09.2018 um 11:40 schrieb Plüm, Rüdiger, Vodafone Group > >> <ruediger.pl...@vodafone.com>: > >>> > >>> Can we have set it to info? Debug is very verbose for SSL just to > find > >> out why a HTTP request was replied to with a 403. > >>> > >>> Regards > >>> > >>> Rüdiger > >>> > >>> Von: William A Rowe Jr <wr...@rowe-clan.net> > >>> Gesendet: Montag, 17. September 2018 22:27 > >>> An: httpd <dev@httpd.apache.org> > >>> Betreff: Re: minor nit in mod_ssl > >>> > >>> On Mon, Sep 17, 2018 at 2:56 AM Stefan Eissing > >> <stefan.eiss...@greenbytes.de> wrote: > >>>> > >>>> mod_ssl/ssl_engine.kernel.c, 353: logs ERR (APLOGNO(02033)) when > >> strict_sni_vhost_check is enabled and a request comes in without SNI. > >>>> > >>>> Question: is a downgrade from ERR to INFO/DEBUG backportable or do > >> we consider this a break of compatibility? > >>> > >>> > >>> > >>> On Mon, Sep 17, 2018 at 10:43 AM William A Rowe Jr <wrowe@rowe- > >> clan.net> wrote: > >>>> > >>>> It is entirely appropriate to turn down the volume. That's what > >> module-by-module loglevels are there for. > >>> > >>> > >>> This is the loglevel of typical garbage request streams; > >>> > >>> [Mon Sep 17 11:44:43.036820 2018] [core:debug] [pid 26317:tid > >> 140199172134656] protocol.c(965): (20014)Internal error (specific > >> information not available): [client 127.0.0.1:34974] Failed to read > >> request header line (null) > >>> [Mon Sep 17 11:44:43.036871 2018] [core:debug] [pid 26317:tid > >> 140199172134656] protocol.c(1318): [client127.0.0.1:34974] AH00567: > >> request failed: error reading the headers > >>> [Mon Sep 17 15:24:46.146311 2018] [core:debug] [pid 26413:tid > >> 140199180527360] protocol.c(860): [client127.0.0.1:35330] AH02418: > HTTP > >> Request Line; Unrecognized protocol 'HTTP/1.xx' (perhaps whitespace > was > >> injected?) > >>> > >>> It seems that TLS missing SNI fits this same debug-level pattern of > >> diagnostics. > >
