Hello, It seems that SSLRequireSSL prevents TLS Upgrade from working at all, or I got something wrong. Still, I have not been able to find out how to force TLS Upgrade on a SSLEngine optional... If I use SSLRequireSSL, Apache will properly return 426 whenever a client performs an unencrypted request, but that will block the TLS Upgrade request itself too (since it is not encrypted either).
I've tried that but that does not seem to work either (plus I am not
sure if allowing unencryted OPTIONS is actually safe):
<LimitExcept OPTIONS>
SSLRequireSSL
</LimitExcept>
This is a sample:
OPTIONS * HTTP/1.1
Host: www.example.com
Upgrade: TLS/1.0
Connection: Upgrade
HTTP/1.1 426 Upgrade Required
Date: Fri, 16 Feb 2007 18:54:30 GMT
Server: Apache/2.2
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade
Content-Length: 459
...
Has anyone been able to work around this chicken-and-egg problem?
Regards,
--
Rémi Denis-Courmont
http://www.remlab.net/
pgpThZGtK7Zq7.pgp
Description: PGP signature
