httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 14:19:16 GMT
Alexei Kosut wrote:
> On Mon, 15 Jul 1996, sameer wrote:
> > > Hmm. No. I think the real solution (and http11.patch has this in it, btw,
> > > since the HTTP/1.1 spec mandates it*) is to change line 376 from ": 0" to
> > > ": 80". Try that, see if it works.
> > 
> > 	OK. I'll have to futz with stuff to make it say "443" if the
> > user is connecting with SSL.
> Yep, because 443 is the default port for SSL. Just like over in
> check_fulluri(), you'll have to look for https:// instead of http:// -
> which brings up a very interesting question: can you do SSL on ports
> other than 443? If so, how does a server that supports both HTTP and
> SSLized HTTP know which one to use if the port isn't 80/443? Would it
> have to be configured such? (I guess so, because they didn't
> just use 80 in the first place)

Yes, you can use any port for SSL. Apache-SSL is configured to do HTTP by
putting "SSLDisable" in the virtual host section (or wherever).

> > 	Your note below is interesting, because *NETSCAPE* doesn't
> > send :port when connecting to servers (at least not for ports 443 and
> > 80). I like the no default port behavior, I only wish netscape would
> > be compliant.
> It sends them when you type them into the URL field (or a link
> does). For example, telling Netscape "http://foo/" will send "Host:
> foo". "http://foo:3456" will send "Host: foo:3456". "http://foo:80"
> will send "Host: foo:80". I don't do any SSL, but I imagine for
> "https://foo/" it would send "Host: foo" and "https://foo:4567" it
> would send "Host: foo:4567". But I don't know. SSL is an interesting
> creature, because it pretends to be HTTP, but isn't; HTTP's default
> port number is 80, SSL's is 443. I imagine that can cause
> problems like this.

It causes a whole _pile_ of problems in a server which can do both, which I
am currently working through. Expect Apache-SSL 1.1.1+1.3 soon.

Should the port fix go into 1.1.2?



Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email:
A.L. Digital Ltd,           URL:
London, England.

View raw message