httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 29744] CONNECT does not work over existing SSL connection
Date Sun, 13 Sep 2009 20:55:39 GMT

--- Comment #93 from Ruediger Pluem <> 2009-09-13 22:55:29 CEST ---
(In reply to comment #92)
> (In reply to comment #86)

> About the other issue (Why don't we stick with direct socket communication with
> the backend)... well... my answer would be that if we use SSL that's probably
> because we do not want that traffic in having apache ignoring our
> security policy and replying directly into the socket hence bypassing the ssl
> layer is not nice (and IS buggy). I admit that the security issue is not a
> deadly one though :o) ! (but well... with some time and pain... that may be a
> nice door to something... use it as an oracle or... Shame I don't have time to
> dig and think about it...)

I still see confusion here over my comment. So I try to rephrase it:
The old code uses direct socket communication to the client *and* to the
In order to get the connection to the client encrypted the communication to the
client needed to be changed to go through the httpd connection filter stack
brings mod_ssl and its features in the game. I don't argue with this.
My point is the communication to the backend: There is *no* SSL encryption from
httpd side here, on the contrary it is explicitly turned off by calling
ap_proxy_ssl_disable(backconn). So where is the point of shoving all the data
through the filter stack when we do *not* want the filters to touch the data?

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message