httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 29744] CONNECT does not work over existing SSL connection
Date Wed, 05 Mar 2008 17:07:13 GMT

--- Comment #57 from Emmanuel Elango <>  2008-03-05 09:07:12 ---
I dont see why CONNECT should not be supported over an SSL connection. I mean
after all a proxy is a proxy and ssl is ssl. The proxy should do its job and
ssl should do its.

I think writing directly to the socket instead of the handler that called it
not a great idea on the part of mod_proxy.

This is becoming a much needed functionality given the increasing
restrictiveness of corporate firewalls. If I (and others) get access only to
port 443 and I need to run a secure webserver as well as a proxy then apache is
the only solution. If I use SSHD then only I will benefit and others cannot use
the secure web server (since I cant be handing out ssh logins to all and
sundry). Most people do not get 2 IP addresses to run both SSHD and Apache

I have been running this patch on winxp for over 3 years now and it works
great. Managed to compile it using MSVC++. One can get a free one month ssl
certificate from rapidssl. Since this certificate will be verifiable from the
certificate store of all browsers (except for the expired date) it provides
fairly good security against a man in the middle attack too.

I think if this patch is made mainstream, interesting apps on bypassing
restrictive firewalls will make their appearance. I myself have one which I
have not released because of this unfixed issue.

Havent had problems with plain over SSLv3 or SSLv3 over SSLv3 using putty
and/or mozilla and my own app which does what stunnel does except that it
verifies the certificate (unlike stunnel).

Sometimes disconnects are a problem, but it could be because of intermediate
proxies. Setting keep-alives in putty does keep the connection going for a
fairly long time (a couple of hours at least).

In any case I think Apache has a rather intimidating attitude towards requests.
The default hypothesis seems to be that most requests are worthless. But then I
guess that the problem with the world. A few people control resources that
affect far too many people, some of whom may not even be aware of how it is
affecting or not affecting them. Look at our politicians or bureaucrats or even
our bosses within the organization. Some requests may be worthless, some may be
worth it, but demand is never a very great indicator at least in this case. I
am sure not many really cared whether man had to go to the moon, or whether
Mozart should have composed his famous pieces. After all these were paid for by
the majority since Mozart didnt possibly go farming in the mornings.

But why intimidation and sarcasm should always be part of the response I often
fail to understand.

Enough said I guess. Glad to help in case anyone needs help compiling or
setting up. I'd really like this to be included or else a fork to happen. Que
sera sera.

(In reply to comment #55)
> (In reply to comment #54)
> > I do not agree, we first need closure on the fact whether the Apache developers
> > want to support CONNECT over an SSL connection.
> You won't get that by posting here.  This isn't the dev list.
> >    There are cases where this
> > functionality is needed and useful, but as long as this is not acknowledge by
> > any of the developers, why should we bother with patches ?
> People have lots of demands on their time, and a chronic shortage of round
> tuits.  Evidently no committer sees a need for this (or it would have got their
> attention before now).  If anyone wants a patch, you have to convince us it's
> worth our time and effort to review it.
> > I also do not agree with your assessement of this bugreport. Did you try or use
> > the functionality yourself ? Did you have a problem with it ?
> I have no use for it.
> I took a look, because the sheer number of people subscribed seems to indicate
> a real demand.  But when I see numerous competing patches, and lots of comments
> about them not working, it's too much effort to figure out where to start.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message