On 03/04/2015 22:12, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Salz, Rich
Sent: Friday, April 03, 2015 15:55
To: openssl-users@openssl.org
Subject: Re: [openssl-users] HTTP / HTTPS on same port
It is a hack.
That's debatable. What's so sacred about separating traffic by port? Valid TLS
traffic and valid plaintext HTTP traffic are distinguishable - there aren't any
ambiguous cases.
Most people do it the other way and look for a G or P as the first letter.
Now *that* is a hack. And wrong, and broken. Looking at the first few bytes to
see if they're 1) ASCII uppercase letters and 2) form the prefix of a valid
HTTP command would be satisfactory.
Actually, I would code any HTTP request parser to accept
lower case,even if I would code request generators to
issue the standard request keywordsin uppercase only
(as required by the spec). Basic Postel principle
in action, really.
Additionally the HTTP/1.1 spec (RFC2616) explicitly
allows future method namesto contain any US-ASCII
char except control chars (0x00..0x1F), space (0x20)
and the following separators: "()<>@,;:\\\"/[]?={}",
see RFC2616 section 5.1.1 which references the
definitions of token and CHAR in section 2.2.
In the updated HTTP/1.1 spec (RFC7230 et.seq.),
the equivalent rules are in RFC7230 section 3.1.1
with token and tchar defined in section 3.2.6 .
Another possibility for HTTP and HTTPS on the same
port is to implement RFC2817, which specifies a way
to use a HTTP request to switch a connection to HTTPS.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
