Re: detecting ssl
is checking for $ENV{HTTPS} not sufficient?
On Tue, 10 Jul 2001, João Pedro Gonçalves wrote:
This approach should be ok:
my $s = $r-lookup_uri($r-uri);
my $ssl = $s-subprocess_env('HTTPS');
I looked at this a while back and this is usually set internally
in apache by the ssl implementation.
João Pedro
brian moseley wrote:
warning: these may be silly questions. but i've looked
through the guide and not found the answers, so hopefully
they're not that silly.
how can i test in a content handler if the request was
received over an ssl connection? do i have to look for an
environment variable? is there a test that works with all
the various ssl modules? is there a standard ssl
interface? if so, where is it documented?
thanks!
Re: detecting ssl
On Thu, 12 Jul 2001, Issac Goldstand wrote:
IG == Issac Goldstand [EMAIL PROTECTED] writes:
IG Not necessarily. I could easily set up any virtualhost on port
IG 443 which will be accessable by https://nasty.servername/ but
IG will, in reality, not necessarily be over a secure connection.
I think you've never actually tried this. You will not get the page
because the client is expecting SSL and you're not providing it. Try
it. Go ahead, try it.
I did. Look at my follow-up to Geoffrey's esponse to the post you're
quoting for details... It worked from most simple clients...
your most simple clients example did the same as accessing
http://nasty.servername:443/.
That's about as different from https:// as if you had shown that
stuff on port 443 can be other stuff than HTTP over SSL by
installing an ftp server on that port.
Some clients, like Netscape and MSIE think that they're smarter
than the servers, though, and incorrectly assume they know
whether to go secure or not.
They don't assume, you tell them what transport method to use by
using https// or http://.
OK. Let me see if I can explain myself a bit better. You're all correct
that by entering an https:// scheme the _intention_ is to advise the browser
to use a secure layer - which most common browsers do. My point is not that
this is not what should happen, but rather that in many situations the
programmer cannot know in advance what kind of weird server setups may be in
use, and cannot know what kind of client will be accessing them. The fact
that my simple browsers just did telnet server 443 is EXACTLY the point
I'm trying to make. In order to ensure that an SSL layer is actually
active, checking the port OR scheme is not enough. You must actually
query for the presense of the layer itself, which mod_ssl conveniently
provides a means to do by giving us $ENV{HTTPS}.
Issac
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
Re: detecting ssl
IG == Issac Goldstand [EMAIL PROTECTED] writes: IG I did. Look at my follow-up to Geoffrey's esponse to the post you're IG quoting for details... It worked from most simple clients... Then those clients are wrong. You're requeting SSL when you say https://whatver/. You should get SSL in that case. IG Some clients, like Netscape and MSIE think that they're smarter than the IG servers, though, and incorrectly assume they know whether to go secure or They are correct, IMO, because you asked for an https connection. To do otherwise would be violate the POLA.
RE: detecting ssl
- Original Message -
From: Issac Goldstand [EMAIL PROTECTED]
To: Geoffrey Young [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, July 10, 2001 3:58 PM
Subject: Re: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:44 AM
To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on
port 443 which
will be accessable by https://nasty.servername/ but will, in
reality, not
necessarily be over a secure connection.
what would negotiate the https protocol then? its not like
you can just
set
up to listen on 443, make
a an http request, and Apache will serve it - at least not through a
browser
or telnet.
Of course it will!!!
whoops, I meant an https request - of course you can listen on any port
you
want for plain http.
Then, you are correct. Of course you could simply just pipe the telnet
session through stunnel, or openssl, or whatever - and work something out
like that. But the point is, then it really IS an HTTP request going over
SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really
doesn't say anything.
[snip]
Also,
if I'd use a
simple client that just used https as port 443 without
automatically trying
to use a secure layer (which is actually proper...), I could even grab
https:// from the URI request.
ok, I'm not claiming to be an ssl expert, so how would one do that? if
I
do
telnet my.ssl-enabled.server 443
GET / HTTP/1.0
I get 400 - BAD_REQUEST. something has to negotiate the https layer,
no?
Of course. My point is that just because the server's listening on port
443, it doesn't necessarily mean it's using SSL. That's where the danger
is. By checking for $ENV{HTTPS}, you are eliminating that danger by
actually checking whether the individual requests are occuring over a
secure
layer, rather than counting on the server and client to do what you would
expect them to - which is the worst mistake that we, as programmers, can
afford to make... :-)
I've been searching for documentation, but all I can find is the TLS
spec,
which says that TLS is relegated to the scheme of 'https', so pointers
to
something useful would probably be good (for all :)
Umm... If the RFCs aren't helpful, you can try fooling around with (and
reading the man page for) openssl's s_client mode...
Issac
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
Re: detecting ssl
I agree with Vivek. With an URL in the format: protocol://hostname:port The browser will use protocol to connect to hostname on port. If you don't specify port, then the browser will pick the default port for protocol, but if the server is not serving the specified protocol on the default port, you won't get anywhere. From: Vivek Khera [EMAIL PROTECTED] Organization: Khera Communications, Inc., Rockville, MD Newsgroups: ml.apache.modperl Date: 11 Jul 2001 15:17:11 -0400 To: [EMAIL PROTECTED] Subject: Re: detecting ssl IG == Issac Goldstand [EMAIL PROTECTED] writes: IG Not necessarily. I could easily set up any virtualhost on port IG 443 which will be accessable by https://nasty.servername/ but IG will, in reality, not necessarily be over a secure connection. I think you've never actually tried this. You will not get the page because the client is expecting SSL and you're not providing it. Try it. Go ahead, try it. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
detecting ssl
warning: these may be silly questions. but i've looked through the guide and not found the answers, so hopefully they're not that silly. how can i test in a content handler if the request was received over an ssl connection? do i have to look for an environment variable? is there a test that works with all the various ssl modules? is there a standard ssl interface? if so, where is it documented? thanks!
Re: detecting ssl
This approach should be ok:
my $s = $r-lookup_uri($r-uri);
my $ssl = $s-subprocess_env('HTTPS');
I looked at this a while back and this is usually set internally
in apache by the ssl implementation.
João Pedro
brian moseley wrote:
warning: these may be silly questions. but i've looked
through the guide and not found the answers, so hopefully
they're not that silly.
how can i test in a content handler if the request was
received over an ssl connection? do i have to look for an
environment variable? is there a test that works with all
the various ssl modules? is there a standard ssl
interface? if so, where is it documented?
thanks!
RE: detecting ssl
-Original Message-
From: João Pedro Gonçalves [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 9:08 AM
To: brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
This approach should be ok:
my $s = $r-lookup_uri($r-uri);
my $ssl = $s-subprocess_env('HTTPS');
I looked at this a while back and this is usually set internally
in apache by the ssl implementation.
no need to do a lookup or rely on PerlSetupEnv On I wouldn't think...
my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/;
?
--Geoff
Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on port 443 which
will be accessable by https://nasty.servername/ but will, in reality, not
necessarily be over a secure connection. $ENV{HTTPS}, on the other hand, is
set by mod_ssl, and is therefore a better sign to know that the connection
is really secure.
Issac
Internet is a wonderful mechanism for making a fool of
yourself in front of a very large audience.
--Anonymous
Moving the mouse won't get you into trouble... Clicking it might.
--Anonymous
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
- Original Message -
From: Geoffrey Young [EMAIL PROTECTED]
To: 'João Pedro Gonçalves' [EMAIL PROTECTED]; brian moseley
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, July 10, 2001 14:33
Subject: RE: detecting ssl
-Original Message-
From: João Pedro Gonçalves [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 9:08 AM
To: brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
This approach should be ok:
my $s = $r-lookup_uri($r-uri);
my $ssl = $s-subprocess_env('HTTPS');
I looked at this a while back and this is usually set internally
in apache by the ssl implementation.
no need to do a lookup or rely on PerlSetupEnv On I wouldn't think...
my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/;
?
--Geoff
Re: detecting ssl
no need to do a lookup or rely on PerlSetupEnv On I wouldn't think... my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/; Or maybe just look at the port # of the request. - Perrin
RE: detecting ssl
Looking at the port number still doesn't ensure that the request is a SSL
request. I believe the mention to looking at $ENV{HTTPS} is the best couse
as that is set when the connection is a SSL connection and not just a
connection to port 443.
--Joe Breeden
--
Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com)
-Original Message-
From: Perrin Harkins [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 8:50 AM
To: brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
no need to do a lookup or rely on PerlSetupEnv On I
wouldn't think...
my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/;
Or maybe just look at the port # of the request.
- Perrin
RE: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:44 AM
To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on
port 443 which
will be accessable by https://nasty.servername/ but will, in
reality, not
necessarily be over a secure connection.
what would negotiate the https protocol then? its not like you can just set
up to listen on 443, make
a an http request, and Apache will serve it - at least not through a browser
or telnet.
but maybe there are ways to spoof the SSL layer?
$ENV{HTTPS}, on the
other hand, is
set by mod_ssl, and is therefore a better sign to know that
the connection
is really secure.
that's good to know... thanks
--Geoff
Re: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:44 AM
To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on
port 443 which
will be accessable by https://nasty.servername/ but will, in
reality, not
necessarily be over a secure connection.
what would negotiate the https protocol then? its not like you can just
set
up to listen on 443, make
a an http request, and Apache will serve it - at least not through a
browser
or telnet.
Of course it will!!! To prove it, I set up a relatively simple Apache
server with the following httpd.conf file. (I'm not sure how much I can cut
down the httpd.conf file, so there's probably still excess baggage here...)
-
ServerType standalone
ServerRoot /usr/local/httpd
PidFile /usr/local/httpd/logs/httpd.pid
ScoreBoardFile /usr/local/httpd/logs/httpd.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 2
MaxSpareServers 6
StartServers 4
MaxClients 50
MaxRequestsPerChild 200
Port 443
Listen 443
User www
Group www
ServerAdmin [EMAIL PROTECTED]
ServerName some.domain.com
DocumentRoot /usr/local/httpd/htdocs
Directory /
Options FollowSymLinks
AllowOverride None
/Directory
Directory /usr/local/httpd/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
/Directory
AccessFileName .htaccess
DefaultType text/plain
-
Then, I did telnet some.domain.com 443...
-
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 10 Jul 2001 15:54:47 GMT
Server: Apache/1.3.20 (Unix) mod_perl/1.25 PHP/4.0.4pl1
Connection: close
Content-Type: text/html
-
Now, if I'd have checked the port, I'd be in trouble. Also, if I'd use a
simple client that just used https as port 443 without automatically trying
to use a secure layer (which is actually proper...), I could even grab
https:// from the URI request.
The ONLY safe way, is to use mod_ssl to tell you you're using it. Consider
a comparison: assuming you're using mod_perl by grepping the server info for
mod_perl/x.xx rather than checking $ENV{MOD_PERL}
Issac
RE: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 1:07 PM
To: Geoffrey Young
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:44 AM
To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on
port 443 which
will be accessable by https://nasty.servername/ but will, in
reality, not
necessarily be over a secure connection.
what would negotiate the https protocol then? its not like
you can just
set
up to listen on 443, make
a an http request, and Apache will serve it - at least not through a
browser
or telnet.
Of course it will!!!
whoops, I meant an https request - of course you can listen on any port you
want for plain http.
[snip]
Also,
if I'd use a
simple client that just used https as port 443 without
automatically trying
to use a secure layer (which is actually proper...), I could even grab
https:// from the URI request.
ok, I'm not claiming to be an ssl expert, so how would one do that? if I do
telnet my.ssl-enabled.server 443
GET / HTTP/1.0
I get 400 - BAD_REQUEST. something has to negotiate the https layer, no?
I've been searching for documentation, but all I can find is the TLS spec,
which says that TLS is relegated to the scheme of 'https', so pointers to
something useful would probably be good (for all :)
The ONLY safe way, is to use mod_ssl to tell you you're using
it. Consider
a comparison: assuming you're using mod_perl by grepping the
server info for
mod_perl/x.xx rather than checking $ENV{MOD_PERL}
understood
--Geoff
Re: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:44 AM
To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on
port 443 which
will be accessable by https://nasty.servername/ but will, in
reality, not
necessarily be over a secure connection.
what would negotiate the https protocol then? its not like
you can just
set
up to listen on 443, make
a an http request, and Apache will serve it - at least not through a
browser
or telnet.
Of course it will!!!
whoops, I meant an https request - of course you can listen on any port
you
want for plain http.
Then, you are correct. Of course you could simply just pipe the telnet
session through stunnel, or openssl, or whatever - and work something out
like that. But the point is, then it really IS an HTTP request going over
SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really
doesn't say anything.
[snip]
Also,
if I'd use a
simple client that just used https as port 443 without
automatically trying
to use a secure layer (which is actually proper...), I could even grab
https:// from the URI request.
ok, I'm not claiming to be an ssl expert, so how would one do that? if I
do
telnet my.ssl-enabled.server 443
GET / HTTP/1.0
I get 400 - BAD_REQUEST. something has to negotiate the https layer, no?
Of course. My point is that just because the server's listening on port
443, it doesn't necessarily mean it's using SSL. That's where the danger
is. By checking for $ENV{HTTPS}, you are eliminating that danger by
actually checking whether the individual requests are occuring over a secure
layer, rather than counting on the server and client to do what you would
expect them to - which is the worst mistake that we, as programmers, can
afford to make... :-)
I've been searching for documentation, but all I can find is the TLS spec,
which says that TLS is relegated to the scheme of 'https', so pointers to
something useful would probably be good (for all :)
Umm... If the RFCs aren't helpful, you can try fooling around with (and
reading the man page for) openssl's s_client mode...
Issac
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
Re: detecting ssl
-Original Message-
From: Issac Goldstand [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 10:44 AM
To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley
Cc: [EMAIL PROTECTED]
Subject: Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on
port 443 which
will be accessable by https://nasty.servername/ but will, in
reality, not
necessarily be over a secure connection.
what would negotiate the https protocol then? its not like
you can just
set
up to listen on 443, make
a an http request, and Apache will serve it - at least not through a
browser
or telnet.
Of course it will!!!
whoops, I meant an https request - of course you can listen on any port
you
want for plain http.
Then, you are correct. Of course you could simply just pipe the telnet
session through stunnel, or openssl, or whatever - and work something out
like that. But the point is, then it really IS an HTTP request going over
SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really
doesn't say anything.
[snip]
Also,
if I'd use a
simple client that just used https as port 443 without
automatically trying
to use a secure layer (which is actually proper...), I could even grab
https:// from the URI request.
ok, I'm not claiming to be an ssl expert, so how would one do that? if I
do
telnet my.ssl-enabled.server 443
GET / HTTP/1.0
I get 400 - BAD_REQUEST. something has to negotiate the https layer, no?
Of course. My point is that just because the server's listening on port
443, it doesn't necessarily mean it's using SSL. That's where the danger
is. By checking for $ENV{HTTPS}, you are eliminating that danger by
actually checking whether the individual requests are occuring over a secure
layer, rather than counting on the server and client to do what you would
expect them to - which is the worst mistake that we, as programmers, can
afford to make... :-)
I've been searching for documentation, but all I can find is the TLS spec,
which says that TLS is relegated to the scheme of 'https', so pointers to
something useful would probably be good (for all :)
Umm... If the RFCs aren't helpful, you can try fooling around with (and
reading the man page for) openssl's s_client mode...
Issac
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
