Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response
Ryan Bloom wrote: From: Ben Laurie [mailto:[EMAIL PROTECTED]] Cliff Woolley wrote: On Mon, 3 Jun 2002, Ryan Bloom wrote: I was actually just about to look at this problem if you are busy. Go for it... I'm working on something else. Perhaps its just me, but I'm amused this is considered a bug. It's a security hole IMO. The problem is that if you rewrite the URL .*, then the error URL that mod_ssl will be rewritten. This means that you can serve information over HTTP that was supposed to be restricted to HTTPS. Sorry, I don't understand this - seems like you missed a word or two out? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response
On Mon, 3 Jun 2002, Ryan Bloom wrote: through what happens if you have RewriteRule .* http://foo.com; in your config file when you send a non-SSL request to an SSL socket. What .. Whatever you do to solve this, you need to ensure that if mod_ssl detects this error case, it doesn't make it look like a real request to the core server. Yeah, I think we've actually had a PR where that happened to someone. We need a better way to send the notification of error down than this /mod_ssl:error:HTTP-request thingy. Thanks for mentioning this. --Cliff
RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response
On Mon, 3 Jun 2002, Ryan Bloom wrote: I was actually just about to look at this problem if you are busy. Go for it... I'm working on something else. Thanks.
Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returnsHTTP/1.0 response
Cliff Woolley wrote: On Mon, 3 Jun 2002, Ryan Bloom wrote: I was actually just about to look at this problem if you are busy. Go for it... I'm working on something else. Perhaps its just me, but I'm amused this is considered a bug. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff