httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 57615] HTTPS CONNECT target hostname incorrectly validated against HTTPS SNI hostname, which prevents CONNECTions to anywhere but the same hostname
Date Wed, 25 Feb 2015 11:11:04 GMT

Kaspar Brand <> changed:

           What    |Removed                     |Added
             Status|NEW                         |NEEDINFO

--- Comment #2 from Kaspar Brand <> ---
(In reply to Stephen Kent from comment #0)

I have quite some doubts that this applies to 2.4.10 - did you really reproduce
it with this specific version?

A fix similar to the one you're proposing was originally suggested on httpd-dev
in December 2013 [1], and somewhat more generic solution was finally backported
to 2.4.8 with r1573362.

> SECOND PART: With the temporary patch above applied, I still can't CONNECT
> to anywhere but the same hostname. Instead of a 400 Bad Request, I receive a
> 405 Method Not Allowed.

This might be caused by mod_proxy_connect not being loaded in your setup.

> If CONNECT requests are to work on HTTPS proxies that use SNI to distinguish
> VirtualHosts, then both of the above parts should be fixed.

Just for the records: this continues to be non-standard use of the CONNECT
method. As discussed in [1], the RFCs don't apply to CONNECT requests being
sent in a TLS protected connection - section 4.3.6 in RFC 7231 (from the series
of the rewritten HTTP/1.1 RFCs) states:

>                                                                 Tunnels
>    are commonly used to create an end-to-end virtual connection, through
>    one or more proxies, which can then be secured using TLS (Transport
>    Layer Security, [RFC5246]).

(note the "which can then [...]")


You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message