Re: detecting ssl

Tue, 10 Jul 2001 11:15:05 -0700 

> > -----Original Message-----
> > From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 10, 2001 10:44 AM
> > To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: detecting ssl
> >
> >
> > Not necessarily.  I could easily set up any virtualhost on
> > port 443 which
> > will be accessable by https://nasty.servername/ but will, in
> > reality, not
> > necessarily be over a secure connection.
>
> what would negotiate the https protocol then?  its not like you can just
set
> up to listen on 443, make
> a an http request, and Apache will serve it - at least not through a
browser
> or telnet.

Of course it will!!!  To prove it, I set up a relatively simple Apache
server with the following httpd.conf file.  (I'm not sure how much I can cut
down the httpd.conf file, so there's probably still excess baggage here...)

-----

ServerType standalone
ServerRoot "/usr/local/httpd"
PidFile /usr/local/httpd/logs/httpd.pid
ScoreBoardFile /usr/local/httpd/logs/httpd.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 2
MaxSpareServers 6
StartServers 4
MaxClients 50
MaxRequestsPerChild 200
Port 443
Listen 443
User www
Group www
ServerAdmin [EMAIL PROTECTED]
ServerName some.domain.com
DocumentRoot "/usr/local/httpd/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "/usr/local/httpd/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
AccessFileName .htaccess
DefaultType text/plain

-----

Then, I did telnet some.domain.com 443...

-----

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 10 Jul 2001 15:54:47 GMT
Server: Apache/1.3.20 (Unix) mod_perl/1.25 PHP/4.0.4pl1
Connection: close
Content-Type: text/html

-----

Now, if I'd have checked the port, I'd be in trouble.  Also, if I'd use a
simple client that just used https as port 443 without automatically trying
to use a secure layer (which is actually proper...), I could even grab
https:// from the URI request.

The ONLY safe way, is to use mod_ssl to tell you you're using it.  Consider
a comparison: assuming you're using mod_perl by grepping the server info for
mod_perl/x.xx rather than checking $ENV{MOD_PERL}

  Issac

Reply via email to