Re: detecting ssl
is checking for $ENV{HTTPS} not sufficient? On Tue, 10 Jul 2001, João Pedro Gonçalves wrote: This approach should be ok: my $s = $r-lookup_uri($r-uri); my $ssl = $s-subprocess_env('HTTPS'); I looked at this a while back and this is usually set internally in apache by the ssl implementation. João Pedro brian moseley wrote: warning: these may be silly questions. but i've looked through the guide and not found the answers, so hopefully they're not that silly. how can i test in a content handler if the request was received over an ssl connection? do i have to look for an environment variable? is there a test that works with all the various ssl modules? is there a standard ssl interface? if so, where is it documented? thanks!
Re: detecting ssl
On Thu, 12 Jul 2001, Issac Goldstand wrote: IG == Issac Goldstand [EMAIL PROTECTED] writes: IG Not necessarily. I could easily set up any virtualhost on port IG 443 which will be accessable by https://nasty.servername/ but IG will, in reality, not necessarily be over a secure connection. I think you've never actually tried this. You will not get the page because the client is expecting SSL and you're not providing it. Try it. Go ahead, try it. I did. Look at my follow-up to Geoffrey's esponse to the post you're quoting for details... It worked from most simple clients... your most simple clients example did the same as accessing http://nasty.servername:443/. That's about as different from https:// as if you had shown that stuff on port 443 can be other stuff than HTTP over SSL by installing an ftp server on that port. Some clients, like Netscape and MSIE think that they're smarter than the servers, though, and incorrectly assume they know whether to go secure or not. They don't assume, you tell them what transport method to use by using https// or http://. OK. Let me see if I can explain myself a bit better. You're all correct that by entering an https:// scheme the _intention_ is to advise the browser to use a secure layer - which most common browsers do. My point is not that this is not what should happen, but rather that in many situations the programmer cannot know in advance what kind of weird server setups may be in use, and cannot know what kind of client will be accessing them. The fact that my simple browsers just did telnet server 443 is EXACTLY the point I'm trying to make. In order to ensure that an SSL layer is actually active, checking the port OR scheme is not enough. You must actually query for the presense of the layer itself, which mod_ssl conveniently provides a means to do by giving us $ENV{HTTPS}. Issac PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
Re: detecting ssl
IG == Issac Goldstand [EMAIL PROTECTED] writes: IG I did. Look at my follow-up to Geoffrey's esponse to the post you're IG quoting for details... It worked from most simple clients... Then those clients are wrong. You're requeting SSL when you say https://whatver/. You should get SSL in that case. IG Some clients, like Netscape and MSIE think that they're smarter than the IG servers, though, and incorrectly assume they know whether to go secure or They are correct, IMO, because you asked for an https connection. To do otherwise would be violate the POLA.
RE: detecting ssl
- Original Message - From: Issac Goldstand [EMAIL PROTECTED] To: Geoffrey Young [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, July 10, 2001 3:58 PM Subject: Re: detecting ssl -Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 10:44 AM To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. what would negotiate the https protocol then? its not like you can just set up to listen on 443, make a an http request, and Apache will serve it - at least not through a browser or telnet. Of course it will!!! whoops, I meant an https request - of course you can listen on any port you want for plain http. Then, you are correct. Of course you could simply just pipe the telnet session through stunnel, or openssl, or whatever - and work something out like that. But the point is, then it really IS an HTTP request going over SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really doesn't say anything. [snip] Also, if I'd use a simple client that just used https as port 443 without automatically trying to use a secure layer (which is actually proper...), I could even grab https:// from the URI request. ok, I'm not claiming to be an ssl expert, so how would one do that? if I do telnet my.ssl-enabled.server 443 GET / HTTP/1.0 I get 400 - BAD_REQUEST. something has to negotiate the https layer, no? Of course. My point is that just because the server's listening on port 443, it doesn't necessarily mean it's using SSL. That's where the danger is. By checking for $ENV{HTTPS}, you are eliminating that danger by actually checking whether the individual requests are occuring over a secure layer, rather than counting on the server and client to do what you would expect them to - which is the worst mistake that we, as programmers, can afford to make... :-) I've been searching for documentation, but all I can find is the TLS spec, which says that TLS is relegated to the scheme of 'https', so pointers to something useful would probably be good (for all :) Umm... If the RFCs aren't helpful, you can try fooling around with (and reading the man page for) openssl's s_client mode... Issac PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
Re: detecting ssl
I agree with Vivek. With an URL in the format: protocol://hostname:port The browser will use protocol to connect to hostname on port. If you don't specify port, then the browser will pick the default port for protocol, but if the server is not serving the specified protocol on the default port, you won't get anywhere. From: Vivek Khera [EMAIL PROTECTED] Organization: Khera Communications, Inc., Rockville, MD Newsgroups: ml.apache.modperl Date: 11 Jul 2001 15:17:11 -0400 To: [EMAIL PROTECTED] Subject: Re: detecting ssl IG == Issac Goldstand [EMAIL PROTECTED] writes: IG Not necessarily. I could easily set up any virtualhost on port IG 443 which will be accessable by https://nasty.servername/ but IG will, in reality, not necessarily be over a secure connection. I think you've never actually tried this. You will not get the page because the client is expecting SSL and you're not providing it. Try it. Go ahead, try it. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
detecting ssl
warning: these may be silly questions. but i've looked through the guide and not found the answers, so hopefully they're not that silly. how can i test in a content handler if the request was received over an ssl connection? do i have to look for an environment variable? is there a test that works with all the various ssl modules? is there a standard ssl interface? if so, where is it documented? thanks!
Re: detecting ssl
This approach should be ok: my $s = $r-lookup_uri($r-uri); my $ssl = $s-subprocess_env('HTTPS'); I looked at this a while back and this is usually set internally in apache by the ssl implementation. João Pedro brian moseley wrote: warning: these may be silly questions. but i've looked through the guide and not found the answers, so hopefully they're not that silly. how can i test in a content handler if the request was received over an ssl connection? do i have to look for an environment variable? is there a test that works with all the various ssl modules? is there a standard ssl interface? if so, where is it documented? thanks!
RE: detecting ssl
-Original Message- From: João Pedro Gonçalves [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 9:08 AM To: brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl This approach should be ok: my $s = $r-lookup_uri($r-uri); my $ssl = $s-subprocess_env('HTTPS'); I looked at this a while back and this is usually set internally in apache by the ssl implementation. no need to do a lookup or rely on PerlSetupEnv On I wouldn't think... my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/; ? --Geoff
Re: detecting ssl
Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. $ENV{HTTPS}, on the other hand, is set by mod_ssl, and is therefore a better sign to know that the connection is really secure. Issac Internet is a wonderful mechanism for making a fool of yourself in front of a very large audience. --Anonymous Moving the mouse won't get you into trouble... Clicking it might. --Anonymous PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B - Original Message - From: Geoffrey Young [EMAIL PROTECTED] To: 'João Pedro Gonçalves' [EMAIL PROTECTED]; brian moseley [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, July 10, 2001 14:33 Subject: RE: detecting ssl -Original Message- From: João Pedro Gonçalves [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 9:08 AM To: brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl This approach should be ok: my $s = $r-lookup_uri($r-uri); my $ssl = $s-subprocess_env('HTTPS'); I looked at this a while back and this is usually set internally in apache by the ssl implementation. no need to do a lookup or rely on PerlSetupEnv On I wouldn't think... my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/; ? --Geoff
Re: detecting ssl
no need to do a lookup or rely on PerlSetupEnv On I wouldn't think... my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/; Or maybe just look at the port # of the request. - Perrin
RE: detecting ssl
Looking at the port number still doesn't ensure that the request is a SSL request. I believe the mention to looking at $ENV{HTTPS} is the best couse as that is set when the connection is a SSL connection and not just a connection to port 443. --Joe Breeden -- Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com) -Original Message- From: Perrin Harkins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 8:50 AM To: brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl no need to do a lookup or rely on PerlSetupEnv On I wouldn't think... my $ssl = Apache::URI-parse($r)-scheme =~ m/^https/; Or maybe just look at the port # of the request. - Perrin
RE: detecting ssl
-Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 10:44 AM To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. what would negotiate the https protocol then? its not like you can just set up to listen on 443, make a an http request, and Apache will serve it - at least not through a browser or telnet. but maybe there are ways to spoof the SSL layer? $ENV{HTTPS}, on the other hand, is set by mod_ssl, and is therefore a better sign to know that the connection is really secure. that's good to know... thanks --Geoff
Re: detecting ssl
-Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 10:44 AM To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. what would negotiate the https protocol then? its not like you can just set up to listen on 443, make a an http request, and Apache will serve it - at least not through a browser or telnet. Of course it will!!! To prove it, I set up a relatively simple Apache server with the following httpd.conf file. (I'm not sure how much I can cut down the httpd.conf file, so there's probably still excess baggage here...) - ServerType standalone ServerRoot /usr/local/httpd PidFile /usr/local/httpd/logs/httpd.pid ScoreBoardFile /usr/local/httpd/logs/httpd.scoreboard Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 MinSpareServers 2 MaxSpareServers 6 StartServers 4 MaxClients 50 MaxRequestsPerChild 200 Port 443 Listen 443 User www Group www ServerAdmin [EMAIL PROTECTED] ServerName some.domain.com DocumentRoot /usr/local/httpd/htdocs Directory / Options FollowSymLinks AllowOverride None /Directory Directory /usr/local/httpd/htdocs Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny Allow from all /Directory AccessFileName .htaccess DefaultType text/plain - Then, I did telnet some.domain.com 443... - HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 10 Jul 2001 15:54:47 GMT Server: Apache/1.3.20 (Unix) mod_perl/1.25 PHP/4.0.4pl1 Connection: close Content-Type: text/html - Now, if I'd have checked the port, I'd be in trouble. Also, if I'd use a simple client that just used https as port 443 without automatically trying to use a secure layer (which is actually proper...), I could even grab https:// from the URI request. The ONLY safe way, is to use mod_ssl to tell you you're using it. Consider a comparison: assuming you're using mod_perl by grepping the server info for mod_perl/x.xx rather than checking $ENV{MOD_PERL} Issac
RE: detecting ssl
-Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 1:07 PM To: Geoffrey Young Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl -Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 10:44 AM To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. what would negotiate the https protocol then? its not like you can just set up to listen on 443, make a an http request, and Apache will serve it - at least not through a browser or telnet. Of course it will!!! whoops, I meant an https request - of course you can listen on any port you want for plain http. [snip] Also, if I'd use a simple client that just used https as port 443 without automatically trying to use a secure layer (which is actually proper...), I could even grab https:// from the URI request. ok, I'm not claiming to be an ssl expert, so how would one do that? if I do telnet my.ssl-enabled.server 443 GET / HTTP/1.0 I get 400 - BAD_REQUEST. something has to negotiate the https layer, no? I've been searching for documentation, but all I can find is the TLS spec, which says that TLS is relegated to the scheme of 'https', so pointers to something useful would probably be good (for all :) The ONLY safe way, is to use mod_ssl to tell you you're using it. Consider a comparison: assuming you're using mod_perl by grepping the server info for mod_perl/x.xx rather than checking $ENV{MOD_PERL} understood --Geoff
Re: detecting ssl
-Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 10:44 AM To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. what would negotiate the https protocol then? its not like you can just set up to listen on 443, make a an http request, and Apache will serve it - at least not through a browser or telnet. Of course it will!!! whoops, I meant an https request - of course you can listen on any port you want for plain http. Then, you are correct. Of course you could simply just pipe the telnet session through stunnel, or openssl, or whatever - and work something out like that. But the point is, then it really IS an HTTP request going over SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really doesn't say anything. [snip] Also, if I'd use a simple client that just used https as port 443 without automatically trying to use a secure layer (which is actually proper...), I could even grab https:// from the URI request. ok, I'm not claiming to be an ssl expert, so how would one do that? if I do telnet my.ssl-enabled.server 443 GET / HTTP/1.0 I get 400 - BAD_REQUEST. something has to negotiate the https layer, no? Of course. My point is that just because the server's listening on port 443, it doesn't necessarily mean it's using SSL. That's where the danger is. By checking for $ENV{HTTPS}, you are eliminating that danger by actually checking whether the individual requests are occuring over a secure layer, rather than counting on the server and client to do what you would expect them to - which is the worst mistake that we, as programmers, can afford to make... :-) I've been searching for documentation, but all I can find is the TLS spec, which says that TLS is relegated to the scheme of 'https', so pointers to something useful would probably be good (for all :) Umm... If the RFCs aren't helpful, you can try fooling around with (and reading the man page for) openssl's s_client mode... Issac PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
Re: detecting ssl
-Original Message- From: Issac Goldstand [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 10:44 AM To: Geoffrey Young; 'João Pedro Gonçalves'; brian moseley Cc: [EMAIL PROTECTED] Subject: Re: detecting ssl Not necessarily. I could easily set up any virtualhost on port 443 which will be accessable by https://nasty.servername/ but will, in reality, not necessarily be over a secure connection. what would negotiate the https protocol then? its not like you can just set up to listen on 443, make a an http request, and Apache will serve it - at least not through a browser or telnet. Of course it will!!! whoops, I meant an https request - of course you can listen on any port you want for plain http. Then, you are correct. Of course you could simply just pipe the telnet session through stunnel, or openssl, or whatever - and work something out like that. But the point is, then it really IS an HTTP request going over SSL, so mod_ssl will jump in and set $ENV{HTTPS} anyway, so that really doesn't say anything. [snip] Also, if I'd use a simple client that just used https as port 443 without automatically trying to use a secure layer (which is actually proper...), I could even grab https:// from the URI request. ok, I'm not claiming to be an ssl expert, so how would one do that? if I do telnet my.ssl-enabled.server 443 GET / HTTP/1.0 I get 400 - BAD_REQUEST. something has to negotiate the https layer, no? Of course. My point is that just because the server's listening on port 443, it doesn't necessarily mean it's using SSL. That's where the danger is. By checking for $ENV{HTTPS}, you are eliminating that danger by actually checking whether the individual requests are occuring over a secure layer, rather than counting on the server and client to do what you would expect them to - which is the worst mistake that we, as programmers, can afford to make... :-) I've been searching for documentation, but all I can find is the TLS spec, which says that TLS is relegated to the scheme of 'https', so pointers to something useful would probably be good (for all :) Umm... If the RFCs aren't helpful, you can try fooling around with (and reading the man page for) openssl's s_client mode... Issac PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B