Hi there,
please find attached a patch proposal to reintroduce the HTTP-on-HTTPS
detection for OpenSSL 1.1.0. The feature is present until 1.0.2, but
although the error codes are still in the 1.1.0 header files, the
detection is gone.
Comments welcome!
Regards,
Rainer
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4304
Please log in as guest with password guest if prompted
--- ssl/record/ssl3_record.c 2016-01-14 10:51:33.000000000 +0100
+++ ssl/record/ssl3_record.c 2016-02-12 22:41:06.597510000 +0100
@@ -275,6 +275,20 @@
}
if ((version >> 8) != SSL3_VERSION_MAJOR) {
+ if (s->first_packet) {
+ /* Go back to start of packet */
+ p -= 5;
+ if ((strncmp("GET ", (char *)p, 4) == 0) ||
+ (strncmp("POST ", (char *)p, 5) == 0) ||
+ (strncmp("HEAD ", (char *)p, 5) == 0) ||
+ (strncmp("PUT ", (char *)p, 4) == 0)) {
+ SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
+ goto err;
+ } else if (strncmp("CONNECT", (char *)p, 7) == 0) {
+ SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST);
+ goto err;
+ }
+ }
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
goto err;
}
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
