[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #45 from Reindl Harald --- Thank you! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Graham Leggett changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #44 from Graham Leggett --- Backported to v2.4.38. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #43 from Reindl Harald --- i don't see much issues here because it just works all the time and with the patch even the correct port is reported over the whole stack > support for a facility which does not and cannot exist during 2.4.x it already works and that you need the first defualt vhost with explicit "SSLEngine On" is only a documentation issue and the only thing which needs adopted from the moment this patch is included is the documentation given that things like mod_h2 made it in 2.4.x i don#t see a reason why this couldn't -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #42 from William A. Rowe Jr. --- I see a lot of conflated issues here. The crux is that 1. A VirtualHost has one and only one port in httpd. This can be fixed in the next major release with a list of possible ports and moving the port of reference from the vhost to the conn struct. 2. SSLEngine Optional means processing the Upgrade: header to switch from http to http over TLS. Nothing else. The port remains 80, obviously! What I'm reading is that an unexpectedly successful attempt suggested support for a facility which does not and cannot exist during 2.4.x. This has come up on the dev list, and it seems the devs support the idea of multiple pontential ports supported by a single vhost. On the second point, because TLS is seen on the 443 connection, it is reported as TLS, but is reporting the wrong port because the wrong vhost was elected. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Rainer Jung changed: What|Removed |Added Resolution|FIXED |--- Status|RESOLVED|REOPENED --- Comment #41 from Rainer Jung --- The issue was closed by the OP as FIXED/RESOLVED in error when he added comment #33. We still need to decide, whether the backport patch for r1829250 (trunk by jorton, backport by yann) gets applied (adding modssl_request_is_tls). It has not yet been proposed in STATUS yet. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #40 from Reindl Harald --- is there any *technical* reason that the perfectly working "factor-out-logic-to-determine-if-request-is-using-ssl-tls.patch" was not included in 2.4.34? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #39 from Eric Covener --- (In reply to Yann Ylavic from comment #37) > (In reply to Reindl Harald from comment #36) > > > > i simply don't understand why he steps in and argues back and forth with no > > intention to get it fixed but talking only about all sorts of workarounds > > which are not the intention of the bugreport > > All I see in Eric's arguments is a way to make your case work, even if it's > not the way you'd like to. You care about your case, he cares about all the > others case too, which shouldn't be broken by arbitrary change in "optional" > semantics... > > > > > i can assure you that the whole community of http-users is waiting many > > years and a lot of people will appreciate the oppotunity write a vhost > > config like this > > > > > > DocumentRoot "/www/contentlounge" > > ServerName contentlounge.rhsoft.net > > SSLEngine optional > > SSLCertificateFile "conf/ssl/rhsoft.net.pem" > > A lot of people would appreciate that, but surely not the whole community is waiting for it. With the patch, This still also requires a second, :443-only VH as the default/first-listed for *:443 as we revealed in a later comment (due to my intefering no less). Two vhosts for SSL and non-SSL is not revolutionary. I think a single vhost would be a good feature, and is similar to the non-LE mod_md stuff being discussed on dev@ (which you are required to post under an alias on because of your conflicts with people not named Eric Covener). But even this is not a slam dunk if it introduces addl complexity and multiple ways to do the same thing when there are already suitable options. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #38 from Reindl Harald --- please see the first comment https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c1 which pretty much explains "even if it's not the way you'd like to" from the begin when $_SERVER['SERVER_PORT'] gives you 80 instead of 443 and you are on a setup which uses 8080 and 8443 for wahtever reasons you are *not* able to construct a full-qualified url without heuristics guessing when $_SERVER['HTTPS'] is 'on' and $_SERVER['SERVER_PORT'] gives 8080 that you have to use 8443 for your URL in a confirmation email and you patch is fixing the whole issue which is finally more then the redirect for URLs with a missing trailing slash * HTTPS on * SERVER_PORT 443 * REQUEST_SCHEME https so it never was about "I tried to provide you two different workarounds but you are myopically focused on being right and playing some game that nobody else is playing" because i never play games i focus real technical solutions instead workarounds not covering the issue as a whole where it starts - not more and not less -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #37 from Yann Ylavic --- (In reply to Reindl Harald from comment #36) > > i simply don't understand why he steps in and argues back and forth with no > intention to get it fixed but talking only about all sorts of workarounds > which are not the intention of the bugreport All I see in Eric's arguments is a way to make your case work, even if it's not the way you'd like to. You care about your case, he cares about all the others case too, which shouldn't be broken by arbitrary change in "optional" semantics... > > i can assure you that the whole community of http-users is waiting many > years and a lot of people will appreciate the oppotunity write a vhost > config like this > > > DocumentRoot "/www/contentlounge" > ServerName contentlounge.rhsoft.net > SSLEngine optional > SSLCertificateFile "conf/ssl/rhsoft.net.pem" > Surely true, though current "optional" (starttls) users wouldn't want their different config to stop working. So you must accept that the team may have a wider view on this, and that directives not meant to work like this in the first place can't be reused at wish. They are dev@ discussion on how we could do this with a generalization of mod_md for instance, yet that may not be 2.4.x material because we care about compatibility *for everyone* in a stable release. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #36 from Reindl Harald --- @Yann Ylavic > If you don't want help from the *team* this is simply not true - it's only about the back and forth discussion of Eric in this bugreport with no intention to get that proper fixed as the patch does and it pretty sure will fix a lot of other border-cases in mod_ssl i simply don't understand why he steps in and argues back and forth with no intention to get it fixed but talking only about all sorts of workarounds which are not the intention of the bugreport i can assure you that the whole community of http-users is waiting many years and a lot of people will appreciate the oppotunity write a vhost config like this DocumentRoot "/www/contentlounge" ServerName contentlounge.rhsoft.net SSLEngine optional SSLCertificateFile "conf/ssl/rhsoft.net.pem" -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #35 from Eric Covener --- (In reply to Reindl Harald from comment #32) > @Eric Covener: > > > > I think I've been more than civil to you _despite_ your name. > > You are incapable of inoffensive, non-hysterical technical discussion > > your whole argumentation is "in my opinion you have to write 2 seperated > " and "your config is unusual and i don't care" Not at all, I don't really have an argument here. I was curious what your affected configuration was and even tested it. It took followups to ascertain what that was. I tried to provide you two different workarounds but you are myopically focused on being "right" and playing some game that nobody else is playing. > > https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c11 > "Maybe someone else feels more confident about the safety and more willing > to put up with reading your unnecessarily dramatic update" > > to be clear: so when you don't care at all please simply go away instead > waste both of our time and let some other person handle things - i wrote a > bugreport for httpd and not a letter to Eric Covener I do care about this bug for a variety of reasons, and I'm not about to take communications advice from a renowned shit-poster. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #34 from Yann Ylavic --- OK, but I kind of regret to have provided this patch now. If you don't want help from the *team*, you won't get it anymore since, as Eric said, you don't do much by yourself either. Strange strategy, may not last eternally... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Reindl Harald changed: What|Removed |Added Resolution|--- |FIXED Status|NEEDINFO|RESOLVED --- Comment #33 from Reindl Harald --- @Yann Ylavic: * https://bz.apache.org/bugzilla/attachment.cgi?id=35875 works * HTTPS on * SERVER_PORT 443 * REQUEST_SCHEME https all relevant environment variables are correct, redirect is correct, i will run some tests but think that can be put in production here THANK YOU! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #32 from Reindl Harald --- @Eric Covener: > I think I've been more than civil to you _despite_ your name. > You are incapable of inoffensive, non-hysterical technical discussion your whole argumentation is "in my opinion you have to write 2 seperated " and "your config is unusual and i don't care" https://bz.apache.org/bugzilla/show_bug.cgi?id=61519#c11 "Maybe someone else feels more confident about the safety and more willing to put up with reading your unnecessarily dramatic update" to be clear: so when you don't care at all please simply go away instead waste both of our time and let some other person handle things - i wrote a bugreport for httpd and not a letter to Eric Covener -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #31 from Yann Ylavic --- Created attachment 35875 --> https://bz.apache.org/bugzilla/attachment.cgi?id=35875&action=edit r1829250 against 2.4.33 Commit from comment 27 which applies to 2.4.33. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #30 from Eric Covener --- (In reply to Reindl Harald from comment #26) > @Joe Orton thank you for step in > > @Eric Covener > > > Seems like 'Header edit' ought to work > > that would be a config which don't solve the problem because it would > redirect to https even when the initial request was not - and for global > configs: please don't get me wrong but i don't get why we discuss that much > forth and back when The 'Header edit' can be conditionalseveral ways > https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryslash itself has > to look at the HTTPS=ON and send the correct redirect instead dirty > workarounds no, mod_dir should never do such a thing directly, that kind of thing doesn't happen in each piece of code that might try to redirect. Your configuration is deviant and there are simple ways to get it to actually work, but it's your prerogative to try it or not. > for me it seems that you have a personal problem when you see my name and if > that's the case please reconsider your behavior when we talk about technical > issues - please step back from your defensive attitude and let us focus on > technical details I think I've been more than civil to you _despite_ your name. You are incapable of inoffensive, non-hysterical technical discussion. Maybe you don't know it. It is still a complete mystery how you can be so dependent and so combatitive at the same time. I don't know what weird reward system or trauma has reinforced this but I seriously suggest you reconsider your approach in working with other humans. > > not sure what script you're talking about > > the "index.php" which does the header('Location'); and not get > $_SERVER['HTTPS'] Doesn't seem relevant to how the redirect happens or how it might be altered. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #29 from Reindl Harald --- sorry but "but you'll probably need to adjust it for 2.4" is above my scope of get the behavior of 2.4.33 fixed with a rpm-rebuild + echo 'Patch #4 (httpd-factor-out-logic-to-determine-if-request-is-using-ssl-tls.patch):' Patch #4 (httpd-factor-out-logic-to-determine-if-request-is-using-ssl-tls.patch): + /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 patching file modules/ssl/mod_ssl.c Hunk #1 succeeded at 618 (offset -9 lines). patching file modules/ssl/ssl_engine_kernel.c Hunk #1 succeeded at 1336 (offset -166 lines). Hunk #2 succeeded at 1346 (offset -166 lines). patching file modules/ssl/ssl_private.h Hunk #1 FAILED at 1096. 1 out of 1 hunk FAILED -- saving rejects to file modules/ssl/ssl_private.h.rej patching file modules/ssl/ssl_util.c Hunk #1 succeeded at 106 (offset 6 lines). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #28 from Joe Orton --- Try https://github.com/apache/httpd/commit/8bfdfb336ad229380adc307265c78942d859787d.patch but you'll probably need to adjust it for 2.4 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #27 from Reindl Harald --- @Joe Orton https://svn.apache.org/viewvc?view=revision&revision=1829250 do i have too less coffee or is there no option to download the patch as a file for rpmbuild's %patch macro? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #26 from Reindl Harald --- @Joe Orton thank you for step in @Eric Covener > Seems like 'Header edit' ought to work that would be a config which don't solve the problem because it would redirect to https even when the initial request was not - and for global configs: please don't get me wrong but i don't get why we discuss that much forth and back when https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryslash itself has to look at the HTTPS=ON and send the correct redirect instead dirty workarounds for me it seems that you have a personal problem when you see my name and if that's the case please reconsider your behavior when we talk about technical issues - please step back from your defensive attitude and let us focus on technical details > not sure what script you're talking about the "index.php" which does the header('Location'); and not get $_SERVER['HTTPS'] -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #25 from Joe Orton --- Reindl, please try the patch from r1829250 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #24 from Joe Orton --- Possibly those two hooks should use the same logic as ssl_hook_Fixup if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) { return DECLINED; } -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Eric Covener changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #23 from Eric Covener --- (In reply to Reindl Harald from comment #21) > > Have you tried editing the Location: header if HTTPS=ON? > > *please* take a short break and think abiut the issue as a wholöe > https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryslash > > HTTPD does the redirect to http:// long before the script, so you can't > prevent a intermediate non-https connection which is extremely bad Seems like 'Header edit' ought to work, not sure what script you're talking about. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #22 from Reindl Harald --- i try to explain it step by step: * https://example.com/cms * httpd redirects *before* any script to http://example.com/cms/ * after that 'index.php' is called the first time * this conenction is no longer https * HTTPS=ON is no longer true because of this there is no possible workaround in any script -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Reindl Harald changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #21 from Reindl Harald --- > Have you tried editing the Location: header if HTTPS=ON? *please* take a short break and think abiut the issue as a wholöe https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryslash HTTPD does the redirect to http:// long before the script, so you can't prevent a intermediate non-https connection which is extremely bad -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Eric Covener changed: What|Removed |Added Severity|critical|normal Status|NEW |NEEDINFO --- Comment #20 from Eric Covener --- Have you tried editing the Location: header if HTTPS=ON? Maybe it allows you to continue to misuse "SSLEngine optional" without breaking anyone else. Dropping severity as the config is invalid. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #19 from Luca Toscano --- (In reply to Reindl Harald from comment #18) > > and *no* there is no valid reason when "HTTPS on" is correctly set within > httpd that this rediect goes to http:// - would you please stop argue about > STARTTLS which is *not* the topic at all As already repeated a number of times in other places, please keep the tone of the conversation in a way that is respectful of others work. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #18 from Reindl Harald --- > If you just wanted them to connect over TLS to port 443 you > wouldn't bother with explicitly enabling STARTTLS the whole point of the config is to have one instead two mostly redundant and it works well besides a few issues the redirect we are talking here about is this: https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryslash and *no* there is no valid reason when "HTTPS on" is correctly set within httpd that this rediect goes to http:// - would you please stop argue about STARTTLS which is *not* the topic at all -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #17 from Eric Covener --- (In reply to Reindl Harald from comment #16) > even if - how does that justify a redirect from https://exmaple.com/cms to > http://example.com/cms/ which is a *downgrade* to unecrypted instead a > *uprade* to TLS I assume STARTTLS would be used on an http port. So the other end is supposed to cotinue using the upgraded connection or open and upgrade a new one. If you just wanted them to connect over TLS to port 443 you wouldn't bother with explicitly enabling STARTTLS. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #16 from Reindl Harald --- even if - how does that justify a redirect from https://exmaple.com/cms to http://example.com/cms/ which is a *downgrade* to unecrypted instead a *uprade* to TLS -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #15 from Eric Covener --- > anyways, i stell need to see any client that is using STARTTLS you are > talking the whole time about for http - when you type > "https://example.com/directory"; there is no STARTTLS at all The whole point is that you're using a configuration for STARTTLS but not using STARTLS. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #14 from Reindl Harald --- > It works for nearly everyone else that's just an opinion - "nearly everyone else" don't look on the details and mostly don't figure out from where random problems are coming or configures for 600 domains 1200 vhsost like a trained monkey that scaled in times when you had a few https hosts becasue you needed time and money for the certs but not now when Google announced that Chrome will start to warn on every non-https page anyways, i stell need to see any client that is using STARTTLS you are talking the whole time about for http - when you type "https://example.com/directory"; there is no STARTTLS at all at least your definition of STARTTLS is not compatible with the rest of the world and protocols like IMAP/POP3/SMTP where STARTTLS is always teh default service port and TLS/SSL is a different port - no browser is using anything like that on Port 443 and we are not talking about anything similar when the server listens on 443 and you type https:// in your client - port 80 is not part of the game at all > Even getting the port right is surprisingly not as simple as you'd think why? i can't imagine anything simpler for a server than to determine the port the client connected to -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #13 from Eric Covener --- (In reply to Reindl Harald from comment #12) > i doubt that "SSLengine optional" is STARTTLS, for sure not when you type > https:// in your browser - anyways, irrelevant, the port is just plain wrong > because with https:// the browser definitly don't connect to port 80 at all The manual says it's for starrtls, which you're not using, but it's what makes the absolute basics of your specific config appear to work until a redirect is generated. > and this all is a real problem because it introuces all sorts of hidden > troubles and currently the only solution would be configure the whole > twice which don't scale for larger setups It works for nearly everyone else. > > i don't know the internals but they should not be that complex to begin with > that in this context any problems can be triggered when a client just calls > "https://example.com/myfolder"; because the fact that it was https is > obviously known, the port itself is known on the network layer and > REQUEST_SCHEME is pretty simple known by the fact of "HTTPS on" is correct In the context of STARTTLS it seems reasonable. Optional was poorly named, but it was clearly never meant to be used for requests that already negotiated SSL at the connection level (in a default vhost). > what happens when you have without https part > of the game? does then also 80 "win" and why when it's pretty simple to konw > the port by the fact that there is a socket connection and config-guessing > is pretty useless because of that No, the port or absence of a port in the Host: header "wins". Even getting the port right is surprisingly not as simple as you'd think. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #12 from Reindl Harald --- i doubt that "SSLengine optional" is STARTTLS, for sure not when you type https:// in your browser - anyways, irrelevant, the port is just plain wrong because with https:// the browser definitly don't connect to port 80 at all the redirect to http:// because of a missing trailing slash wenn you call a directory with a DirectoryIndex-file is wrong when "HTTPS on" is known and this all is a real problem because it introuces all sorts of hidden troubles and currently the only solution would be configure the whole twice which don't scale for larger setups i don't know the internals but they should not be that complex to begin with that in this context any problems can be triggered when a client just calls "https://example.com/myfolder"; because the fact that it was https is obviously known, the port itself is known on the network layer and REQUEST_SCHEME is pretty simple known by the fact of "HTTPS on" is correct what happens when you have without https part of the game? does then also 80 "win" and why when it's pretty simple to konw the port by the fact that there is a socket connection and config-guessing is pretty useless because of that -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #11 from Eric Covener --- (In reply to Reindl Harald from comment #10) > HTTPS on > REQUEST_SCHEME http To recap, when you handshake with an "SSLEngine on" vhost then your request is handled by an "SSLEngine optional" (which means starttls) vhost, these two variables disagree and redirects send you to http://. The former is set by ssl_hook_Fixup and looks for the SSL connection-level config if the vhost has "sslengine optional". The bits that go into fully-qualifying a redirect do not look to see if SSL is currently active on the config: static const char *ssl_hook_http_scheme(const request_rec *r) { SSLSrvConfigRec *sc = mySrvConfig(r->server); if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { return NULL; } return "https"; } static apr_port_t ssl_hook_default_port(const request_rec *r) { SSLSrvConfigRec *sc = mySrvConfig(r->server); if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { return 0; } return 443; } I don't know if those decisions make sense for actual "SSLengine optional" which is starttls, not simultaneous SSL and non-SSL. It looks like you've misunderstood "SSLEngine optional" and are saving a few lines of copy/paste to use a broken configuration. Maybe a different "optional" value is needed to allow opt-in to this alt behavior for an obscure config. Maybe someone else feels more confident about the safety and more willing to put up with reading your unnecessarily dramatic updates. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Reindl Harald changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #10 from Reindl Harald --- httpd has a completly split brain here Apache Environment from phpinfo(): HTTPS on SSL_TLS_SNI local.rhsoft.net HTTP_HOST local.rhsoft.net SERVER_NAME local.rhsoft.net SERVER_PORT 80 REQUEST_SCHEME http focus on the "HTTPS" which is corrent versus wrong "SERVER_PORT" and "REQUEST_SCHEME" - thi smakes it possible to put some hacks in php-libraries and overwrite it so that most scripts behave correctly but you can't hack the wrong redirect to http:// when one tries to access a folder without the trailing slash because that redirect is done by httpd itself and fianlyl you have a *real probem* in your client becasue proper sent cookies with secure-Flags are gone, logins don#t work, you don't realize that you unintenionally switched to unecnrypted and that leads to support calls for every single vhost which get mirgated to dual-stack and letsencrypt you *clearly* know the fact it's https, so REQUEST_SCHEME is easily to fix and you know the incoming port from the network layer - frankly there is no sane reason to get that wrong and set it to 80 when the lcient is connected to 443 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #9 from Reindl Harald --- it IS worth when you have some hundrets of virtual hosts on dozens of machines which all have php_admin_value settings for open_basedir and so on and as we do migrate to everything-encrypted with letsencrypt certificates as you need to listen at port 80 even when you send HSTS headers and redirect after the first non-ssl connection this would mean 500 additional cloned definitions in our case we decide via DNS if a domain goes over the TLS-offloading proxy or if it is a low-traffic site directly to the apache server and so every contains the construct below RewriteEngine on RewriteCond %{CONN_REMOTE_ADDR} !^proxy-lan-ip RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} proxy-configuration is generated based on parsed vhost-config-files from the origins - including look at that redirect stuff to make the decision if the procy itself should redirect to https before contact the origin at all you *really* don't want to deal with hundrets of cloned VirtualHost-definiton or even worse with special treatment instead of such a unified "fits all" configuration -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #8 from Eric Covener --- > this bug makes this impossible because server-variables like > $_SERVER['SERVER_PORT'] giving 80 instead 443 to the script it's even not > possible to form a full-qualified URL within scripts yes, lots of stuff doesn't work with this unusual config. Is it worth putting *:80 in the same VHost? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #7 from Reindl Harald --- practical example: the folder /cms/ contains a "index.php" with header('Location: ../cms.php'); when you call the url with the traiing slash the relative redirect is sent-as-is to the client and all is fine without the trailing slash the typical httpd-redirect-behavior when calling folders without a trailing slash is triggered and since httpd don't "know" correctly about port/protocol somewhere deep insinde it redirects to http:// one could now say RFC mandates a fulkl-qualified redirect but the nature of this bug makes this impossible because server-variables like $_SERVER['SERVER_PORT'] giving 80 instead 443 to the script it's even not possible to form a full-qualified URL within scripts [harry@srv-rhsoft:~]$ curl --head https://local.rhsoft.net/cms/ HTTP/1.1 302 Found Date: Thu, 22 Mar 2018 11:54:17 GMT Location: ../cms.php X-Content-Type-Options: nosniff X-Response-Time: D=2584 us Cache-Control: no-cache, no-store Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 [harry@srv-rhsoft:~]$ curl --head https://local.rhsoft.net/cms HTTP/1.1 301 Moved Permanently Date: Thu, 22 Mar 2018 11:54:32 GMT Location: http://local.rhsoft.net/cms/ Content-Type: text/html; charset=iso-8859-1 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #6 from Reindl Harald --- i can remember that you need at least *one* default host with "SSLEngine On" to make mod_ssl initialize correctly and the others than can be combined ones [root@srv-rhsoft:~]$ cat conf/sites_enabled/-default.conf # letsencrypt-managed Require all denied Require all granted ServerName default.local.rhsoft.net ServerAlias default.rh.thelounge.net SSLCertificateFile "/var/lib/letsencrypt/certs/-default.conf_rsa.pem" SSLCertificateFile "/var/lib/letsencrypt/certs/-default.conf_ecdsa.pem" SSLEngine On Require all denied Require all granted i am 100% certain bcause i am the one-man-show serveradmin for the whole stack from switches over virtualization down to the php software running on top -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #5 from Eric Covener --- (In reply to Reindl Harald from comment #4) > nothing special here, a lot of vhosts configured that way on Fedora 26 / > Fedora 27 and it works also for any client as well as > https://www.ssllabs.com/ssltest/ > > curl-7.55.1-10.fc27.x86_64 > openssl-1.1.0g-1.fc27.x86_64 > httpd-2.4.33-3.0.fc27.20180321.rh.sandybridge.x86_64 > apr-1.6.3-6.0.fc27.20180318.rh.sandybridge.x86_64 > apr-util-1.6.1-4.0.fc27.20180318.rh.sandybridge.x86_64 Are you certain you're hitting the listed config and TLS isn't terminated somewhere else? related but separately helpful, can you add a unique access log to that vhost and append this to your logformat: Host=%{Host}i localport=%{local}p L=%{Location}o Via=%{Via}i to whatever your current logformat is? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #4 from Reindl Harald --- nothing special here, a lot of vhosts configured that way on Fedora 26 / Fedora 27 and it works also for any client as well as https://www.ssllabs.com/ssltest/ curl-7.55.1-10.fc27.x86_64 openssl-1.1.0g-1.fc27.x86_64 httpd-2.4.33-3.0.fc27.20180321.rh.sandybridge.x86_64 apr-1.6.3-6.0.fc27.20180318.rh.sandybridge.x86_64 apr-util-1.6.1-4.0.fc27.20180318.rh.sandybridge.x86_64 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Eric Covener changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #3 from Eric Covener --- Tried to look at this, but curl couldn't access my 'SSLEngine optional' vhost over https. Evidently 'SSLEngine optional' is meant to allow HTTPS upgrade over HTTP, not just optionally doing normal TLS on the connection. Some trick in your environment or envvar that influences curl? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #2 from Reindl Harald --- can we PLEASE get this bug fixed since it's root cause has a lot of implications in PHP header('Location: /something.php');on a site where you already are connected via https:// also leadins in httpd redirect to http://example.com/something.php with all sort of troubles i can reproduce this issue every single day when login into a demo-cms on my machine, the bookmark is https://, i just add cms/ tu the URL which redirect to the login-page and voila you lost you https-url -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 Reindl Harald changed: What|Removed |Added Severity|normal |critical -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519 --- Comment #1 from Reindl Harald --- my connection is for sure https:// because of the mod_rewrite and finally HSTS phpinfo(): SERVER_PORT 80 ServerName www.rhsoft.net SSLEngine Optional SSLUseStapling On SSLCertificateFile "certs/rhsoft-www.conf_rsa.pem" SSLCertificateFile "certs/rhsoft-www.conf_ecdsa.pem" RewriteEngine on RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Header always set "Strict-Transport-Security" "max-age=31536000" -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org