The post values will be sent only via ssl. You can verify this via the
Apache logs. non-ssl request are logged in logs/access.log, while ssl accees
are logged in logs/ssl/access.log. To see this more clearly, change the
nonsecure.html to send the id/pw via get.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Brian D. Kohl
> Sent: Wednesday, September 06, 2000 6:41 PM
> To: [EMAIL PROTECTED]
> Subject: post from nonSSL to SSL pages - when is SSL session started.
>
>
> Was not sure where else to turn for this question, so here goes:
>
> We are trying to get consensus on whether the following scenario will be
> fully encrypted when data is passed to the server (ie: we can't allow
> username and password data to go in the clear - obviously).
>
> We have a non secure http page that has two POST fields; one for username
> and another for the password. This is on example page
> http://nonsecure.html. The user types in the information and hits the
> submit button. The action URL that is tagged in the POST
> command in this
> html file posts to https://secure.html, which will validate a
> users login,
> etc. Now SSL is a session based protocol, and it seems quite
> unlikely that
> ANY information could be passed from the clients browser to the server
> until AFTER the SSL session was created; thereby sending it encrypted
> only. I am 95% sure that the data is encrypted, but wanted to run it by
> you all to let me know if I'm in the ballpark here. My apache
> and NES logs
> don't show conclusively whether the connection was established, then the
> login data was sent (securely), or whether both the POST URL (an SSL URL)
> and the data was all sent at once (ie: login in the clear) and the server
> just handled them both in the right order, but received them both in the
> clear from the beginning (I doubt it).
>
> I am snooping on some packets, but wanted to know if the RFC
> states it thus
> and whether anyone has seen different in regards to
> apache+mod_ssl and NES
> SSL (which we also use and would want to use this mechanism with
> as well -
> though not mod_ssl obviously).
>
> Thanks very much,
> Brian
>
> ------------------------------------------------------------------
> ----------
> -----------------------
> Brian D. Kohl
> Lead Systems Administrator
> ChemConnect, Inc.
> [EMAIL PROTECTED]
> Direct: 415.364.3328
> Cell: 415.518.9052
> Fax: 415.646.0010
> ------------------------------------------------------------------
> ----------
> -----------------------
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
