httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29744] - connect method don't work on ssl sockets
Date Fri, 09 Jul 2004 19:44:57 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29744>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29744

connect method don't work on ssl sockets





------- Additional Comments From rsnel@cube.dyndns.org  2004-07-09 19:44 -------
I have this problem also, let me explain a little bit further. I have configured
apache/mod_proxy to allow CONNECT requests to port 25 (and I have an http server
on port 80 and an https server on port 443).

On port 80 there is no problem:
---- transcript ----
> telnet <server> 80
Trying 192.168.2.2...
Connected to server.
Escape character is '^]'.
CONNECT localhost:25 HTTP/1.0

HTTP/1.0 200 Connection Established
Proxy-agent: Apache/2.0.49 (Gentoo/Linux) mod_ssl/2.0.49 OpenSSL/0.9.7d DAV/2
SVN/1.0.4

220 <server> ESMTP Postfix
----

When I do the same (using openssl s_client as ssl-aware telnet) on port 443,
something interesting happens:
----
>openssl s_client -connect server:443 -debug
[SNIP]
CONNECT localhost:25 HTTP/1.0
write to 080ADC10 [080B8098] (106 bytes => 106 (0x6A))
0000 - 17 03 00 00 20 be 08 8a-42 af f3 ee 82 a3 ca f2   .... ...B.......
0010 - 49 9a 74 f1 d4 28 f1 9e-3f 47 21 32 8a 7b 3b 85   I.t..(..?G!2.{;.
0020 - e5 03 11 8e 34 17 03 00-00 40 93 02 51 1d d9 86   ....4....@..Q...
0030 - 19 a2 bd ee 51 d2 75 39-ce 2c 8e 3f 7c 0f b1 26   ....Q.u9.,.?|..&
0040 - b0 43 5b 4b 25 5e 93 3d-f4 bb 0a 23 29 d5 25 49   .C[K%^.=...#).%I
0050 - 2f 61 46 c7 84 f9 ac cd-a4 77 e6 9e 74 09 60 2f   /aF......w..t.`/
0060 - f2 13 af ef f0 46 7c 61-60 e3                     .....F|a`.

write to 080ADC10 [080B8098] (74 bytes => 74 (0x4A))
0000 - 17 03 00 00 20 0c 0d 67-8e 91 3e f8 ed b0 19 97   .... ..g..>.....
0010 - 57 9d 84 b0 ff d4 ed 92-cb 4f a0 48 19 9a cb 2b   W........O.H...+
0020 - 0d 0e 74 f3 82 17 03 00-00 20 7c a3 fb 93 7c ef   ..t...... |...|.
0030 - 90 e2 ce bd 40 21 34 b9-17 40 58 7e 0a f8 b0 1d   ....@!4..@X~....
0040 - ed 65 1e cd a8 9b 49 52-cf c4                     .e....IR..
read from 080ADC10 [080B3888] (5 bytes => 5 (0x5))
0000 - 48 54 54 50 2f                                    HTTP/
write to 080ADC10 [080B8098] (37 bytes => 37 (0x25))
0000 - 15 54 54 00 20 3b 18 d2-4b 20 6f 47 59 c5 84 99   .TT. ;..K oGY...
0010 - 6d d6 14 ac c7 e2 c9 03-b2 89 22 dd 4c 29 52 b7   m.........".L)R.
0020 - 14 94 34 ec 53                                    ..4.S
2069:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:2
86:
write to 080ADC10 [080B8098] (37 bytes => 37 (0x25))
0000 - 15 54 54 00 20 60 90 0f-be 91 f6 5e c7 ea 5a 14   .TT. `.....^..Z.
0010 - 93 23 97 de ac ac 00 6c-8a c6 d0 74 88 3f 96 cf   .#.....l...t.?..
0020 - 46 5b 80 c9 d9                                    F[...

So the CONNECT request is sent to the server. It is received (according to
ssl_request_log) and accepted (according to ssl_access_log). The ssl client
bails out with an error because apache sends nonsense.

Speculation: the nonsense is "HTTP/" (as seen in the debug output above). It
seems that apache/mod_proxy is bypassing the ssl encryption and is answering
unencrypted. Since https is supposed to be 'http over ssl', the ssl encryption
should not be bypassed and be maintained until the connection is closed.

I hope this description is helpful.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message