You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by rb...@apache.org on 2002/10/07 05:50:04 UTC
SSL Upgrade support.
Just a heads up. I wrote SSL Upgrade support this weekend for Apache
2.0. In my (currently) limited testing, things look pretty good. We
currently respond to all requests correctly, and I think I have the SSL
filters being inserted properly. However, there are no clients that I
know of that support this feature yet. My hope was to have time to add it
to Neon this weekend, but it didn't happen. I won't commit the Apache
code until I can test it with a client, so if anybody wants to
help me implement the client side, or if anybody knows of any clients that
already support this, please let me know.
Ryan
_______________________________________________________________________________
Ryan Bloom rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------
Re: SSL Upgrade support.
Posted by rb...@apache.org.
Joe,
I tried to compile cadaver 0.19.1 and 0.18.5, but neither one would
compile for me. Do you happen to have linux binaries lying around, or do
you have the magic incatation to get it to compile? BTW, I tried 0.18.5
becasue according to the CVS logs, it looks like that is the cadaver
version with the upgrade support.
Any help you can offer would be great. Otherwise, I will have to add the
support back to the most recent version of neon.
Ryan
On Mon, 7 Oct 2002, Joe Orton wrote:
> On Sun, Oct 06, 2002 at 11:50:04PM -0400, Ryan Bloom wrote:
> > Just a heads up. I wrote SSL Upgrade support this weekend for Apache
> > 2.0. In my (currently) limited testing, things look pretty good. We
> > currently respond to all requests correctly, and I think I have the SSL
> > filters being inserted properly. However, there are no clients that I
> > know of that support this feature yet. My hope was to have time to add it
> > to Neon this weekend, but it didn't happen. I won't commit the Apache
> > code until I can test it with a client, so if anybody wants to
> > help me implement the client side, or if anybody knows of any clients that
> > already support this, please let me know.
>
> I did have TLS upgrade support in neon but removed it in 0.22.0 since it
> was unused in practice and not really very useful even in theory (see
> ietf-tls archives).
>
> You can try cadaver 0.19.1 with this patch, which will send the Upgrade
> header, and should switch to SSL on receiving a 101 interim response,
> though I haven't tested that. (It will continue sending the Upgrade
> header on requests sent via SSL, which it shouldn't, so watch out for
> that)
>
> --- ./src/cadaver.c.1 2002-10-07 10:09:37.000000000 +0100
> +++ ./src/cadaver.c 2002-10-07 10:10:08.000000000 +0100
> @@ -367,6 +367,8 @@
>
> init_locking(lockstore);
>
> + ne_set_request_secure_upgrade(session, 1);
> +
> ne_set_progress(session, transfer_progress, NULL);
> ne_set_status(session, connection_status, NULL);
>
> --- ./libneon/ne_request.c.1 2002-10-07 10:13:23.000000000 +0100
> +++ ./libneon/ne_request.c 2002-10-07 10:15:57.000000000 +0100
> @@ -455,6 +455,9 @@
> req->reqbuf = ne_buffer_create();
> req->respbuf = ne_buffer_create_sized(BUFSIZ);
>
> + if (sess->request_secure_upgrade == 1)
> + req->upgrade_to_tls = 1;
> +
> /* Add in the fixed headers */
> add_fixed_headers(req);
>
> @@ -474,10 +477,6 @@
> req->use_proxy = sess->have_proxy;
> }
>
> - if (sess->request_secure_upgrade == 1) {
> - req->upgrade_to_tls = 1;
> - }
> -
> /* Add in handlers for all the standard HTTP headers. */
>
> ne_add_response_header_handler(req, "Content-Length",
>
--
_______________________________________________________________________________
Ryan Bloom rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------
Re: SSL Upgrade support.
Posted by Joe Orton <jo...@redhat.com>.
On Sun, Oct 06, 2002 at 11:50:04PM -0400, Ryan Bloom wrote:
> Just a heads up. I wrote SSL Upgrade support this weekend for Apache
> 2.0. In my (currently) limited testing, things look pretty good. We
> currently respond to all requests correctly, and I think I have the SSL
> filters being inserted properly. However, there are no clients that I
> know of that support this feature yet. My hope was to have time to add it
> to Neon this weekend, but it didn't happen. I won't commit the Apache
> code until I can test it with a client, so if anybody wants to
> help me implement the client side, or if anybody knows of any clients that
> already support this, please let me know.
I did have TLS upgrade support in neon but removed it in 0.22.0 since it
was unused in practice and not really very useful even in theory (see
ietf-tls archives).
You can try cadaver 0.19.1 with this patch, which will send the Upgrade
header, and should switch to SSL on receiving a 101 interim response,
though I haven't tested that. (It will continue sending the Upgrade
header on requests sent via SSL, which it shouldn't, so watch out for
that)
--- ./src/cadaver.c.1 2002-10-07 10:09:37.000000000 +0100
+++ ./src/cadaver.c 2002-10-07 10:10:08.000000000 +0100
@@ -367,6 +367,8 @@
init_locking(lockstore);
+ ne_set_request_secure_upgrade(session, 1);
+
ne_set_progress(session, transfer_progress, NULL);
ne_set_status(session, connection_status, NULL);
--- ./libneon/ne_request.c.1 2002-10-07 10:13:23.000000000 +0100
+++ ./libneon/ne_request.c 2002-10-07 10:15:57.000000000 +0100
@@ -455,6 +455,9 @@
req->reqbuf = ne_buffer_create();
req->respbuf = ne_buffer_create_sized(BUFSIZ);
+ if (sess->request_secure_upgrade == 1)
+ req->upgrade_to_tls = 1;
+
/* Add in the fixed headers */
add_fixed_headers(req);
@@ -474,10 +477,6 @@
req->use_proxy = sess->have_proxy;
}
- if (sess->request_secure_upgrade == 1) {
- req->upgrade_to_tls = 1;
- }
-
/* Add in handlers for all the standard HTTP headers. */
ne_add_response_header_handler(req, "Content-Length",
Re: SSL Upgrade support.
Posted by Benjamin Ritcey <cu...@ritcey.com>.
Not positive if this will help you, but I know from recent experience
that CUPS (www.cups.org) does TLS Upgrade for secure printing via IPP
-- maybe proxying cups w/ Apache would help test?
Anyway, HTH
-b
On Sunday, October 6, 2002, at 11:50 PM, rbb@apache.org wrote:
>
> Just a heads up. I wrote SSL Upgrade support this weekend for Apache
> 2.0. In my (currently) limited testing, things look pretty good. We
> currently respond to all requests correctly, and I think I have the SSL
> filters being inserted properly. However, there are no clients that I
> know of that support this feature yet. My hope was to have time to
> add it
> to Neon this weekend, but it didn't happen. I won't commit the Apache
> code until I can test it with a client, so if anybody wants to
> help me implement the client side, or if anybody knows of any clients
> that
> already support this, please let me know.
>
> Ryan
>
> _______________________________________________________________________
> ________
> Ryan Bloom rbb@apache.org
> 550 Jean St
> Oakland CA 94610
> -----------------------------------------------------------------------
> --------
>