You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Joel J. Smith" <js...@novell.com> on 2005/03/10 18:56:23 UTC
More on TLS Upgrade: Should httpd enforce good client behavior?
There are two more issues that I would like to address on the TLS
Upgrade feature.
1. RFC 2817 explicitly states that if the request comes in from an
HTTP/1.0 (or earlier) client that the Upgrade header should be
removed/ignored since: (a) there is no provision for Connection: Upgrade
until HTTP/1.1 and (b) there is a possibility that an HTTP/1.1 client
sent the request through an HTTP/1.0 proxy. Since TLS Upgrade is a
hop-by-hop feature, if a client requested an upgrade with its proxy, but
the proxy passed the headers on to httpd, the resulting behavior would
be at best, not what the client had in mind, and at worst, a broken
connection. So, the long and the short of it is: should httpd enforce
that only HTTP/1.1 (or looking forward, newer) clients be allowed to
upgrade? I think that this is an obvious yes.
2. With svn commit of ssl_engine_io.c ver 109499, the check for
"Connection: Upgrade" was deemed unnecessary and removed. RFC 2616
(Section 14.42) says that:
The Upgrade header field only applies to the immediate connection.
Therefore, the upgrade keyword MUST be supplied within a Connection
header field (section 14.10) whenever Upgrade is present in an HTTP/1.1
message.
So a client MUST send something like:
Connection: Upgrade
Upgrade: TLS/1.0
or it is considered a broken implementation. I have no problem
supporting broken implementations (especially if it's easier/faster than
enforcing, as is the case here) as long as there are no unintended
side-effects.
The only side effect I could see is this: HTTP/1.1 proxies that don't
support this feature are supposed to remove the Upgrade token from the
"Connection: Upgrade" header and remove the Upgrade header entirely. If
it does that, then everything will work as expected. If it only removes
the Upgrade token from the Connection header, but leaves the Upgrade
header intact, than the same thing described in #1 above would happen.
Granted, only a broken proxy implementation would allow this to happen.
So it boils down to this: Enforcing the presence of the "Connection:
Upgrade" header would break TLS Upgrading clients that don't behave
correctly. Not enforcing it could allow broken behavior for compliant
clients when using a broken proxy.
My opinion is that httpd should enforce the header since I trust clients
who add this feature to get it right more than I trust proxies who may
not understand this part of HTTP/1.1 to get it right. Comments?
Joel