Michael Parkin wrote: >Hi, > >I've recently been trying to setup Mongrel behind Pound so that I can >do mutual SSL authentication. I've had a few problems with Pound >(documented at [1]), but now have it working correctly. > >However, I think there is a problem with Mongrel and how it deals with >the headers Pound adds to the HTTP header block. One of the extra >headers Pound adds is 'X-SSL-certificate' - the full multi-line client >certificate in PEM format. As the certificate is spread over multiple >lines like this: > >X-SSL-certificate: -----BEGIN CERTIFICATE----- > MIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx > ... > Yhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3 > RA== > -----END CERTIFICATE----- > > Do you actually need to use the certificate down stream, if not and you just need to know the original request was SSL'd then pound should add X-FORWARD type header instead...
>...with a carriage return between each line Mongrel, it seems, cannot >handle the line breaks in the header and with this header present >returns an internal server error '500'. > >Looking at RFC 2616 it seems that whitespace such as this _is_ allowed >in the header block. Section 4.2 says "Header fields can be extended >over multiple lines by preceding each extra line with at least one SP >or HT" - which is exactly what Pound does. Therefore, I think the >problem may be with Mongrel. > >I've tested this by doing the following: > >1) Sniffed the whole HTTP message sent from Pound -> Mongrel using >tcpmon. (Fails - returns 'internal server error' / 500). > >2) Replaying the message into Mongrel directly using telnet, cutting >out the X-SSL-certificate header. Mongrel responds correctly (200). > >3) Added in my own arbitary header with a carriage return in it. >Mongrel again returns 500. > >I turned on debugging with the '-B' option hoping there would be >something in the log files, but they're empty. > >Can anyone else confirm that caarriage returns in HTTP headers is a >problem for Mongrel? > >Many thanks, > >Michael. > >[1] http://www.apsis.ch/pound/pound_list/archive/2006/2006-10/1159900707000 >_______________________________________________ >Mongrel-users mailing list >[email protected] >http://rubyforge.org/mailman/listinfo/mongrel-users > > > > > _______________________________________________ Mongrel-users mailing list [email protected] http://rubyforge.org/mailman/listinfo/mongrel-users
