Yes, it is encrypted. The process is as follows: Browser connects and handshakes the SSL encryption level (with the obvious key checks). The connection is then encrypted. Browser sends GET request to server Server sends authorisation request Browser sends "Authorization:" header which IIRC is a base64 encoding of the username and password (which is basically plain text, encrypted via SSL). The page or data is returned if the connection is authorised.
So the logs are correct, as the GET request is sent without the authorization header. What is confusing is that most browsers do not show a padlock until after you send it (this isn't that difficult to fix, is it?). It could be argued that this method may be more "hackable" than putting a login somewhere in the page (eg RedHat Network at https://rhn.redhat.com), but I don't particularly want to go there. We have a server internally that gives you the wrong pages if you proxy the Authorization header, so I had someone produce a patch to prevent the proxying of the Authorization header. I realise I haven't answered the specific question as to why the log doesn't show the SSL encryption level. Perhaps the server writes this entry before the SSL handshaking completes? (I'd have to look in the source). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
