Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 48034 invoked from network); 13 Sep 2009 20:56:04 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 13 Sep 2009 20:56:04 -0000 Received: (qmail 74329 invoked by uid 500); 13 Sep 2009 20:56:04 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 74238 invoked by uid 500); 13 Sep 2009 20:56:04 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 74226 invoked by uid 99); 13 Sep 2009 20:56:04 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Sep 2009 20:56:04 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Sep 2009 20:56:00 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id F0D3B234C046; Sun, 13 Sep 2009 13:55:39 -0700 (PDT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 29744] CONNECT does not work over existing SSL connection X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_proxy X-Bugzilla-Keywords: PatchAvailable X-Bugzilla-Severity: enhancement X-Bugzilla-Who: rpluem@apache.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: In-Reply-To: References: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Message-Id: <20090913205539.F0D3B234C046@brutus.apache.org> Date: Sun, 13 Sep 2009 13:55:39 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=29744 --- Comment #93 from Ruediger Pluem 2009-09-13 22:55:29 CEST --- (In reply to comment #92) > (In reply to comment #86) > About the other issue (Why don't we stick with direct socket communication with > the backend)... well... my answer would be that if we use SSL that's probably > because we do not want that traffic in clear...so having apache ignoring our > security policy and replying directly into the socket hence bypassing the ssl > layer is not nice (and IS buggy). I admit that the security issue is not a > deadly one though :o) ! (but well... with some time and pain... that may be a > nice door to something... use it as an oracle or... Shame I don't have time to > dig and think about it...) I still see confusion here over my comment. So I try to rephrase it: The old code uses direct socket communication to the client *and* to the backend. In order to get the connection to the client encrypted the communication to the client needed to be changed to go through the httpd connection filter stack which brings mod_ssl and its features in the game. I don't argue with this. My point is the communication to the backend: There is *no* SSL encryption from httpd side here, on the contrary it is explicitly turned off by calling ap_proxy_ssl_disable(backconn). So where is the point of shoving all the data through the filter stack when we do *not* want the filters to touch the data? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org