trafficserver-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif Hedstrom (JIRA)" <j...@apache.org>
Subject [jira] Commented: (TS-295) Allowing HTTP CONNECT to be used on non-SSL ports
Date Thu, 15 Apr 2010 23:22:50 GMT

    [ https://issues.apache.org/jira/browse/TS-295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857589#action_12857589
] 

Leif Hedstrom commented on TS-295:
----------------------------------

As we discussed on #traffic-server, we should create a separate configuration for this, which
defaults to the "old" SSL ports (just for compatibility). Setting this config to "" would
disable all connects entirely.

We should also disassociate the YTS code for this from SSL. Right now, all the functions /
defines etc. are SSL related, and so are the error messages. We should change that as well,
e.g. where the code is now

    if ((method == HTTP_WKSIDX_CONNECT) && (!is_ssl_port_ok(s, incoming_hdr->url_get()->port_get())))
{
      return BAD_SSL_PORT;
    }


we should do change to something like

    if ((method == HTTP_WKSIDX_CONNECT) && (!is_connect_port_ok(s, incoming_hdr->url_get()->port_get())))
{

      return BAD_CONNECT_PORT;
    }

(as far as I can tell, the BAD_SSL_PORT is only used for this case with CONNECT, and it makes
zero sense to me).


And likewise for the error message that we generate, it ought to say something like

    build_error_response(s,
                         HTTP_STATUS_FORBIDDEN,
                         "Tunnel Forbidden",
                         "access#tunnel_forbidden", "%d is not an allowed port for Tunnel
connections", port);

> Allowing HTTP CONNECT to be used on non-SSL ports
> -------------------------------------------------
>
>                 Key: TS-295
>                 URL: https://issues.apache.org/jira/browse/TS-295
>             Project: Traffic Server
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>         Environment: All?
>            Reporter: Marcus Clyne
>            Priority: Minor
>
> Currently HTTP CONNECT can only be used on ports designated as SSL ports in the config
file, even if SSL is not used.
> It seems more sensible to add a config option to specify which ports can be tunneled
through using CONNECT's, perhaps defaulting to the SSL ports, but not being limited to them.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message