[jira] Commented: (TS-295) Allowing HTTP CONNECT to be used on non-SSL ports

Thu, 15 Apr 2010 16:23:16 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857589#action_12857589
 ] 

Leif Hedstrom commented on TS-295:
----------------------------------

As we discussed on #traffic-server, we should create a separate configuration 
for this, which defaults to the "old" SSL ports (just for compatibility). 
Setting this config to "" would disable all connects entirely.

We should also disassociate the YTS code for this from SSL. Right now, all the 
functions / defines etc. are SSL related, and so are the error messages. We 
should change that as well, e.g. where the code is now

    if ((method == HTTP_WKSIDX_CONNECT) && (!is_ssl_port_ok(s, 
incoming_hdr->url_get()->port_get()))) {
      return BAD_SSL_PORT;
    }


we should do change to something like

    if ((method == HTTP_WKSIDX_CONNECT) && (!is_connect_port_ok(s, 
incoming_hdr->url_get()->port_get()))) {

      return BAD_CONNECT_PORT;
    }

(as far as I can tell, the BAD_SSL_PORT is only used for this case with 
CONNECT, and it makes zero sense to me).


And likewise for the error message that we generate, it ought to say something 
like

    build_error_response(s,
                         HTTP_STATUS_FORBIDDEN,
                         "Tunnel Forbidden",
                         "access#tunnel_forbidden", "%d is not an allowed port 
for Tunnel connections", port);

> Allowing HTTP CONNECT to be used on non-SSL ports
> -------------------------------------------------
>
>                 Key: TS-295
>                 URL: https://issues.apache.org/jira/browse/TS-295
>             Project: Traffic Server
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>         Environment: All?
>            Reporter: Marcus Clyne
>            Priority: Minor
>
> Currently HTTP CONNECT can only be used on ports designated as SSL ports in 
> the config file, even if SSL is not used.
> It seems more sensible to add a config option to specify which ports can be 
> tunneled through using CONNECT's, perhaps defaulting to the SSL ports, but 
> not being limited to them.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to