You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2010/04/16 01:22:50 UTC

[jira] Commented: (TS-295) Allowing HTTP CONNECT to be used on non-SSL ports

    [ https://issues.apache.org/jira/browse/TS-295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857589#action_12857589 ] 

Leif Hedstrom commented on TS-295:
----------------------------------

As we discussed on #traffic-server, we should create a separate configuration for this, which defaults to the "old" SSL ports (just for compatibility). Setting this config to "" would disable all connects entirely.

We should also disassociate the YTS code for this from SSL. Right now, all the functions / defines etc. are SSL related, and so are the error messages. We should change that as well, e.g. where the code is now

    if ((method == HTTP_WKSIDX_CONNECT) && (!is_ssl_port_ok(s, incoming_hdr->url_get()->port_get()))) {
      return BAD_SSL_PORT;
    }


we should do change to something like

    if ((method == HTTP_WKSIDX_CONNECT) && (!is_connect_port_ok(s, incoming_hdr->url_get()->port_get()))) {

      return BAD_CONNECT_PORT;
    }

(as far as I can tell, the BAD_SSL_PORT is only used for this case with CONNECT, and it makes zero sense to me).


And likewise for the error message that we generate, it ought to say something like

    build_error_response(s,
                         HTTP_STATUS_FORBIDDEN,
                         "Tunnel Forbidden",
                         "access#tunnel_forbidden", "%d is not an allowed port for Tunnel connections", port);

> Allowing HTTP CONNECT to be used on non-SSL ports
> -------------------------------------------------
>
>                 Key: TS-295
>                 URL: https://issues.apache.org/jira/browse/TS-295
>             Project: Traffic Server
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>         Environment: All?
>            Reporter: Marcus Clyne
>            Priority: Minor
>
> Currently HTTP CONNECT can only be used on ports designated as SSL ports in the config file, even if SSL is not used.
> It seems more sensible to add a config option to specify which ports can be tunneled through using CONNECT's, perhaps defaulting to the SSL ports, but not being limited to them.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira