Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 81037 invoked from network); 11 Apr 2007 06:12:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Apr 2007 06:12:27 -0000 Received: (qmail 48727 invoked by uid 500); 11 Apr 2007 06:12:21 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 48708 invoked by uid 500); 11 Apr 2007 06:12:20 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 48693 invoked by uid 99); 11 Apr 2007 06:12:20 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Apr 2007 23:12:20 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [146.109.240.232] (HELO irp0b.swx.com) (146.109.240.232) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Apr 2007 23:12:13 -0700 Received: from unknown (HELO gate0a.unix.swx.ch) ([192.168.252.17]) by irp0b.swx.com with ESMTP; 11 Apr 2007 08:11:51 +0200 X-IronPort-AV: i="4.14,393,1170630000"; d="scan'208"; a="7211803:sNHT35847156" Received: from CIWMEXZSA0E.ex.ordersx.org (siwmexzsa0a.ex.ordersx.org [172.20.29.10]) by gate0a.unix.swx.ch (8.13.4/8.13.4) with ESMTP id l3B6Bpmu009023 for ; Wed, 11 Apr 2007 08:11:51 +0200 (MEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826 Date: Wed, 11 Apr 2007 08:11:50 +0200 Message-ID: Importance: normal Priority: normal X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Browser sends complete URL before SSL ? Thread-Index: Acd7g3rRfJH/0+WUSPGCadR16KXBNAAe+aKg From: "Boyle Owen" To: X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Browser sends complete URL before SSL ? > -----Original Message----- > From: Pusk=E1s Zsolt ( Errotan ) [mailto:errotan@gmail.com]=20 > Sent: Tuesday, April 10, 2007 5:17 PM > To: users@httpd.apache.org > Subject: [users@httpd] Browser sends complete URL before SSL ? >=20 > Hi all. > =20 > I have a working apache2 server with ssl and I thought about=20 > if a client=20 > browser connects to the server with the URL like=20 > https://www.example.com/somedir/file.html the browser sends=20 > the full url in=20 > plaintext=20 No - this does not happen. > ..or connects to example.com encrypts the channel and=20 > then sends the=20 > remaining /somedir/file.html ?=20 Yes - sort of... The HTTPS layer is like a wrapper around the HTTP = protocol. The SSL session is established using only the TCP/IP = attributes of the request (ie, IP address and port). Once the encrypted = channel is open, the HTTP frame (containing the hostname, URL, cookies, = etc.) is sent. So all client data is encrypted. BTW, this is exactly the reason that name-based VHs can't work under = SSL. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored.=20 > If it sends in plaintext I=20 > have to rewrite=20 > lots of php scripts for security :( . > =20 =20 This message is for the named person's use only. It may contain = confidential, proprietary or legally privileged information. No = confidentiality or privilege is waived or lost by any mistransmission. = If you receive this message in error, please notify the sender urgently = and then immediately delete the message and any copies of it from your = system. Please also immediately destroy any hardcopies of the message. = You must not, directly or indirectly, use, disclose, distribute, print, = or copy any part of this message if you are not the intended recipient. = The sender's company reserves the right to monitor all e-mail = communications through their networks. Any views expressed in this = message are those of the individual sender, except where the message = states otherwise and the sender is authorised to state them to be the = views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org