subject:"Re\: \[Bug 9488\] \- HTTP\/0.9 requests spoken on https port returnsHTTP\/1.0 response"

Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

2002-06-04 Thread Ben Laurie


Ryan Bloom wrote:
From: Ben Laurie [mailto:[EMAIL PROTECTED]]

Cliff Woolley wrote:

On Mon, 3 Jun 2002, Ryan Bloom wrote:



I was actually just about to look at this problem if you are busy.


Go for it... I'm working on something else.

Perhaps its just me, but I'm amused this is considered a bug.
 
 
 It's a security hole IMO.  The problem is that if you rewrite the URL
 .*, then the error URL that mod_ssl will be rewritten.  This means that
 you can serve information over HTTP that was supposed to be restricted
 to HTTPS.

Sorry, I don't understand this - seems like you missed a word or two out?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

2002-06-03 Thread Cliff Woolley


On Mon, 3 Jun 2002, Ryan Bloom wrote:

 through what happens if you have RewriteRule .* http://foo.com; in your
 config file when you send a non-SSL request to an SSL socket.  What
..
 Whatever you do to solve this, you need to ensure that if mod_ssl
 detects this error case, it doesn't make it look like a real request to
 the core server.

Yeah, I think we've actually had a PR where that happened to someone.  We
need a better way to send the notification of error down than this
/mod_ssl:error:HTTP-request thingy.

Thanks for mentioning this.

--Cliff

RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

2002-06-03 Thread Cliff Woolley


On Mon, 3 Jun 2002, Ryan Bloom wrote:

 I was actually just about to look at this problem if you are busy.

Go for it... I'm working on something else.

Thanks.

Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

2002-06-03 Thread Ben Laurie


Cliff Woolley wrote:
 On Mon, 3 Jun 2002, Ryan Bloom wrote:
 
 
I was actually just about to look at this problem if you are busy.
 
 
 Go for it... I'm working on something else.

Perhaps its just me, but I'm amused this is considered a bug.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response

4 matches

Site Navigation

Mail list logo

Footer information