httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Stapelberg <mich...@maxspot.de>
Subject [users@httpd] mod_ssl: using connection: upgrade leaves plaintext in reply
Date Thu, 21 Dec 2006 22:58:39 GMT
Hello,

I'm just struggling around with using Connection: Upgrade. I issue a GET /
HTTP/1.1-request (see bottom for the exact one) and the part of the reply
which is generated by php is send in cleartext (the client naturally doesn't
want to accept that and closes the connection):

[pid 16349] recv(8,
"\24\3\1\0\1\1\26\3\1\0000f\212W\335\273\16L\352\357\3054\32\204\311\376
\264a4l\3670\17\303e\224\202\370!\361\271\311\320\360\356\210ZN\255w\314
~\351\377=}\250irfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar",
2048, 0) = 119

PHP-script is:
<?php
for ($i = 0; $i < 10; $i++)
	echo "foobar";
?>

How to reproduce:
Download http://people.apache.org/~bnicholes/tlsupgrade/tlsupgrade.c
Compile it using gcc -lssl -o tlsupgrade tlsupgrade.c
Run it using: strace -s 2048 ./tlsupgrade http://localhost/index.php
(Replace the address of your test server and file if necessary)
Then look out for the first 5 bytes of the cleartext (fooba in my case) which
will appear in the reply.

If you use ./tlsupgrade <URL> -u, it will issue OPTIONS * HTTP/1.1 before
using Upgrade: TLS/1.0 which will lead an empty 200-reply before another
request is made... This usually works without any problems.

So, in conclusion: The request that makes problems is:
GET /index.php HTTP/1.1
Host: localhost
Upgrade: TLS/1.0
Connection: Upgrade

I am using Apache 2.2.3 on Debian Linux (unstable).

Is this a bug? I think so. I'd be thankful for any patches or ideas where/how
to patch it.

Best regards,
Michael Stapelberg

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message