----- Original Message -----
From: Issac Goldstand <[EMAIL PROTECTED]>
To: Geoffrey Young <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, July 10, 2001 3:58 PM
Subject: Re: detecting ssl
> > > > > -----Original Message-----
> > > > > From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Tuesday, July 10, 2001 10:44 AM
> > > > > To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
> > > > > Cc: [EMAIL PROTECTED]
> > > > > Subject: Re: detecting ssl
> > > > >
> > > > >
> > > > > Not necessarily. I could easily set up any virtualhost on
> > > > > port 443 which
> > > > > will be accessable by https://nasty.servername/ but will, in
> > > > > reality, not
> > > > > necessarily be over a secure connection.
> > > >
> > > > what would negotiate the https protocol then? its not like
> > > you can just
> > > set
> > > > up to listen on 443, make
> > > > a an http request, and Apache will serve it - at least not through a
> > > browser
> > > > or telnet.
> > >
> > > Of course it will!!!
> >
> > whoops, I meant an https request - of course you can listen on any port
> you
> > want for plain http.
>
> Then, you are correct. Of course you could simply just pipe the telnet
> session through stunnel, or openssl, or whatever - and work something out
> like that. But the point is, then it really IS an HTTP request going over
> SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really
> doesn't say anything.
>
> > [snip]
> >
> > > Also,
> > > if I'd use a
> > > simple client that just used https as port 443 without
> > > automatically trying
> > > to use a secure layer (which is actually proper...), I could even grab
> > > https:// from the URI request.
> >
> > ok, I'm not claiming to be an ssl expert, so how would one do that? if
I
> do
> >
> > telnet my.ssl-enabled.server 443
> > GET / HTTP/1.0
> >
> > I get 400 - BAD_REQUEST. something has to negotiate the https layer,
no?
>
> Of course. My point is that just because the server's listening on port
> 443, it doesn't necessarily mean it's using SSL. That's where the danger
> is. By checking for $ENV{HTTPS}, you are eliminating that danger by
> actually checking whether the individual requests are occuring over a
secure
> layer, rather than counting on the server and client to do what you would
> expect them to - which is the worst mistake that we, as programmers, can
> afford to make... :-)
>
> > I've been searching for documentation, but all I can find is the TLS
spec,
> > which says that TLS is relegated to the scheme of 'https', so pointers
to
> > something useful would probably be good (for all :)
>
> Umm... If the RFCs aren't helpful, you can try fooling around with (and
> reading the man page for) openssl's s_client mode...
>
> Issac
>
> PGP Key 0xE0FA561B - Fingerprint:
> 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
>
>
