Hello, It seems that SSLRequireSSL prevents TLS Upgrade from working at all, or I got something wrong. Still, I have not been able to find out how to force TLS Upgrade on a SSLEngine optional... If I use SSLRequireSSL, Apache will properly return 426 whenever a client performs an unencrypted request, but that will block the TLS Upgrade request itself too (since it is not encrypted either).
I've tried that but that does not seem to work either (plus I am not sure if allowing unencryted OPTIONS is actually safe): <LimitExcept OPTIONS> SSLRequireSSL </LimitExcept> This is a sample: OPTIONS * HTTP/1.1 Host: www.example.com Upgrade: TLS/1.0 Connection: Upgrade HTTP/1.1 426 Upgrade Required Date: Fri, 16 Feb 2007 18:54:30 GMT Server: Apache/2.2 Upgrade: TLS/1.0, HTTP/1.1 Connection: Upgrade Content-Length: 459 ... Has anyone been able to work around this chicken-and-egg problem? Regards, -- Rémi Denis-Courmont http://www.remlab.net/
pgpThZGtK7Zq7.pgp
Description: PGP signature