Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 27194 invoked by uid 500); 1 Apr 2003 02:42:28 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 27178 invoked from network); 1 Apr 2003 02:42:28 -0000 Received: from mailhost2-bcvloh.bcvloh.ameritech.net (HELO mailhost.bcv2.ameritech.net) (66.73.20.44) by daedalus.apache.org with SMTP; 1 Apr 2003 02:42:28 -0000 Received: from heidegger.mousecar.net ([65.43.210.87]) by mailhost.bcv2.ameritech.net (InterMail vM.4.01.02.17 201-229-119) with ESMTP id <20030401024235.SKGQ17758.mailhost.bcv2.ameritech.net@heidegger.mousecar.net> for ; Mon, 31 Mar 2003 21:42:35 -0500 Date: Mon, 31 Mar 2003 21:42:46 -0500 (EST) From: gebser@ameritech.net Sender: ken@heidegger.mousecar.net Reply-To: gebser@ameritech.net To: users@httpd.apache.org In-Reply-To: <20030331181604.7413.qmail@web13201.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] How does HTTPS work? I think you're mixing up http(s) headers and packet headers. The latter are visible to the proxy server but not the former. ken At 10:16 (UTC-0800) on Mon, 31 Mar 2003 Rufoo said: = What misled me is that I forgot that HTTPS = communication takes over a totally different port - = 443 and not 80, that is both http and https cannot go = over the same wire. = = Now, how do proxies work for https? proxies rely on = the http(s) headers, which are now not available. = Also, what is the semantics for page caching? = = Thanks = rf = = = --- Jurgen wrote: = > Well rf, = > = > there are no headers to see because all of it is = > encrypted. You will not be able to read anything at = > all. = > Imagine the web server set's a cookie as a session = > id for a login into sensitive data. The browser = > would submit the cookie in the http headers and = > anyone listening could simply join the session and = > act as the actual owner of the account with the = > sensitive data. = > The connection established between the client and = > server is an encrypted connection where absolutely = > everything is encrypted through a secure socket. = > That's why it is called secure socket layer (SSL) = > and not secure http layer, which could be the name = > of what you seem to think. = > The secure socket layer is simply a layer between = > tcp and http. Somehow embeded in the secure socket = > layer is a regular http connection. = > = > You also seem to have a wrong perception of headers. = > A http connection is not really something = > sophisticated from the transmission point of view. = > The client simply transmitts a chunk of text and the = > server answers with another junk. That's it. Not = > even the headers are transmitted in a seperate way. = > They are simply the start of this junk of text = > seperated by 2 line breaks. In https when these = > headers are transmitted they are just a part of the = > encrypted chunk of text and therefore you can't read = > them. = > = > If there is anything you don't understand now let us = > know. = > = > Jurgen = > = > = > On Mon, 31 Mar 2003 03:04:05 -0800 (PST) = > Rufoo wrote: = > = > > = > > --- Boyle Owen wrote: = > > > >-----Original Message----- = > > > >From: Rufoo [mailto:rufoo2001@yahoo.com] = > > > > = > > > >For a https:// url, after the browser and = > server = > > > >negotiate on the certificates and the sessoin = > key, = > > > the = > > > >browser encrypts all the communication with = > this = > > > key. = > > > >I want to see a 'sample HTTPS session', with = > the = > > > >browser doing the above and then sending the = > > > GET/POST = > > > >request with the encrypted content. Are any = > > > additional = > > > >headers sent in the case of HTTPS? = > > > = > > > How can you see the session if it's all = > encrypted = > > > :-) = > > > = > > = > > = > > I do not want to *understand* or *interpret* the = > data, = > > I just want to see the HTTP Headers (which I dont = > > think are encrypted) followed by the MIME part of = > the = > > encrypted data(Yeah this another question - is the = > > encrypted data sent as HTTP body or as a MIME = > part?). = > > = > > = > > > The HTTPS protocol is quite different from HTTP = > - it = > > > starts off with = > > > client_hello and server_hello and so on. Once = > the = > > > session is = > > > established, it is plain HTTP but all requests = > and = > > > responses are = > > > encrypted. Check out the mod_ssl docs for an = > > > overview = > > > (http://www.modssl.org/docs/2.8/ssl_intro.html) = > and = > > > the refs therein = > > > (esp. = > http://wp.netscape.com/eng/ssl3/draft302.txt) = > > > = > > = > > This doc says the SSL layer sits in between TCP = > and = > > HTTP. So I am interested in what SSL write over = > TCP. = > > I do not want it all, just a simple example as = > > ordinary HTTP is explained in = > > http://www.jmarshall.com/easy/http/ = > > = > > = > > > > = > > > >Looking at the RAW HTTP data, can one identify = > if = > > > its = > > > >a http session or https session? = > > > = > > > If you can read it, it's not HTTPS... = > > > = > > = > > Now that I have explained what I am really looking = > > for, I ask this again: When the SSL layer writes = > to = > > the TCP layer, does it put any additional headers = > that = > > identifies that this URL has an 'https'. Do not = > say = > > that if you cannot read the body content it is = > https - = > > I might be sending the same over plain http too. I = > > hope you get it. = > > = > > Thanks again, and if this is not related to this = > > mailing list, please let me know who can me help = > me. = > > -rf = > > = > > = > > = > > = > > = > > __________________________________________________ = > > Do you Yahoo!? = > > Yahoo! Platinum - Watch CBS' NCAA March Madness, = > live on your desktop! = > > http://platinum.yahoo.com = > > = > > = > = --------------------------------------------------------------------- = > > The official User-To-User support forum of the = > Apache HTTP Server Project. = > > See = > for more info. = > > To unsubscribe, e-mail: = > users-unsubscribe@httpd.apache.org = > > " from the digest: = > users-digest-unsubscribe@httpd.apache.org = > > For additional commands, e-mail: = > users-help@httpd.apache.org = > = > = --------------------------------------------------------------------- = > The official User-To-User support forum of the = > Apache HTTP Server Project. = > See for = > more info. = > To unsubscribe, e-mail: = > users-unsubscribe@httpd.apache.org = > " from the digest: = > users-digest-unsubscribe@httpd.apache.org = > For additional commands, e-mail: = > users-help@httpd.apache.org = > = = = __________________________________________________ = Do you Yahoo!? = Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! = http://platinum.yahoo.com = = --------------------------------------------------------------------- = The official User-To-User support forum of the Apache HTTP Server Project. = See for more info. = To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org = " from the digest: users-digest-unsubscribe@httpd.apache.org = For additional commands, e-mail: users-help@httpd.apache.org = = --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org