You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ge...@ameritech.net on 2003/04/01 04:42:46 UTC
Re: [users@httpd] How does HTTPS work?
I think you're mixing up http(s) headers and packet headers. The latter
are visible to the proxy server but not the former.
ken
At 10:16 (UTC-0800) on Mon, 31 Mar 2003 Rufoo said:
= What misled me is that I forgot that HTTPS
= communication takes over a totally different port -
= 443 and not 80, that is both http and https cannot go
= over the same wire.
=
= Now, how do proxies work for https? proxies rely on
= the http(s) headers, which are now not available.
= Also, what is the semantics for page caching?
=
= Thanks
= rf
=
=
= --- Jurgen <ap...@squarehosting.com> wrote:
= > Well rf,
= >
= > there are no headers to see because all of it is
= > encrypted. You will not be able to read anything at
= > all.
= > Imagine the web server set's a cookie as a session
= > id for a login into sensitive data. The browser
= > would submit the cookie in the http headers and
= > anyone listening could simply join the session and
= > act as the actual owner of the account with the
= > sensitive data.
= > The connection established between the client and
= > server is an encrypted connection where absolutely
= > everything is encrypted through a secure socket.
= > That's why it is called secure socket layer (SSL)
= > and not secure http layer, which could be the name
= > of what you seem to think.
= > The secure socket layer is simply a layer between
= > tcp and http. Somehow embeded in the secure socket
= > layer is a regular http connection.
= >
= > You also seem to have a wrong perception of headers.
= > A http connection is not really something
= > sophisticated from the transmission point of view.
= > The client simply transmitts a chunk of text and the
= > server answers with another junk. That's it. Not
= > even the headers are transmitted in a seperate way.
= > They are simply the start of this junk of text
= > seperated by 2 line breaks. In https when these
= > headers are transmitted they are just a part of the
= > encrypted chunk of text and therefore you can't read
= > them.
= >
= > If there is anything you don't understand now let us
= > know.
= >
= > Jurgen
= >
= >
= > On Mon, 31 Mar 2003 03:04:05 -0800 (PST)
= > Rufoo <ru...@yahoo.com> wrote:
= >
= > >
= > > --- Boyle Owen <Ow...@swx.com> wrote:
= > > > >-----Original Message-----
= > > > >From: Rufoo [mailto:rufoo2001@yahoo.com]
= > > > >
= > > > >For a https:// url, after the browser and
= > server
= > > > >negotiate on the certificates and the sessoin
= > key,
= > > > the
= > > > >browser encrypts all the communication with
= > this
= > > > key.
= > > > >I want to see a 'sample HTTPS session', with
= > the
= > > > >browser doing the above and then sending the
= > > > GET/POST
= > > > >request with the encrypted content. Are any
= > > > additional
= > > > >headers sent in the case of HTTPS?
= > > >
= > > > How can you see the session if it's all
= > encrypted
= > > > :-)
= > > >
= > >
= > >
= > > I do not want to *understand* or *interpret* the
= > data,
= > > I just want to see the HTTP Headers (which I dont
= > > think are encrypted) followed by the MIME part of
= > the
= > > encrypted data(Yeah this another question - is the
= > > encrypted data sent as HTTP body or as a MIME
= > part?).
= > >
= > >
= > > > The HTTPS protocol is quite different from HTTP
= > - it
= > > > starts off with
= > > > client_hello and server_hello and so on. Once
= > the
= > > > session is
= > > > established, it is plain HTTP but all requests
= > and
= > > > responses are
= > > > encrypted. Check out the mod_ssl docs for an
= > > > overview
= > > > (http://www.modssl.org/docs/2.8/ssl_intro.html)
= > and
= > > > the refs therein
= > > > (esp.
= > http://wp.netscape.com/eng/ssl3/draft302.txt)
= > > >
= > >
= > > This doc says the SSL layer sits in between TCP
= > and
= > > HTTP. So I am interested in what SSL write over
= > TCP.
= > > I do not want it all, just a simple example as
= > > ordinary HTTP is explained in
= > > http://www.jmarshall.com/easy/http/
= > >
= > >
= > > > >
= > > > >Looking at the RAW HTTP data, can one identify
= > if
= > > > its
= > > > >a http session or https session?
= > > >
= > > > If you can read it, it's not HTTPS...
= > > >
= > >
= > > Now that I have explained what I am really looking
= > > for, I ask this again: When the SSL layer writes
= > to
= > > the TCP layer, does it put any additional headers
= > that
= > > identifies that this URL has an 'https'. Do not
= > say
= > > that if you cannot read the body content it is
= > https -
= > > I might be sending the same over plain http too. I
= > > hope you get it.
= > >
= > > Thanks again, and if this is not related to this
= > > mailing list, please let me know who can me help
= > me.
= > > -rf
= > >
= > >
= > >
= > >
= > >
= > > __________________________________________________
= > > Do you Yahoo!?
= > > Yahoo! Platinum - Watch CBS' NCAA March Madness,
= > live on your desktop!
= > > http://platinum.yahoo.com
= > >
= > >
= >
= ---------------------------------------------------------------------
= > > The official User-To-User support forum of the
= > Apache HTTP Server Project.
= > > See <URL:http://httpd.apache.org/userslist.html>
= > for more info.
= > > To unsubscribe, e-mail:
= > users-unsubscribe@httpd.apache.org
= > > " from the digest:
= > users-digest-unsubscribe@httpd.apache.org
= > > For additional commands, e-mail:
= > users-help@httpd.apache.org
= >
= >
= ---------------------------------------------------------------------
= > The official User-To-User support forum of the
= > Apache HTTP Server Project.
= > See <URL:http://httpd.apache.org/userslist.html> for
= > more info.
= > To unsubscribe, e-mail:
= > users-unsubscribe@httpd.apache.org
= > " from the digest:
= > users-digest-unsubscribe@httpd.apache.org
= > For additional commands, e-mail:
= > users-help@httpd.apache.org
= >
=
=
= __________________________________________________
= Do you Yahoo!?
= Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
= http://platinum.yahoo.com
=
= ---------------------------------------------------------------------
= The official User-To-User support forum of the Apache HTTP Server Project.
= See <URL:http://httpd.apache.org/userslist.html> for more info.
= To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
= " from the digest: users-digest-unsubscribe@httpd.apache.org
= For additional commands, e-mail: users-help@httpd.apache.org
=
=
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How does HTTPS work?
Posted by Rufoo <ru...@yahoo.com>.
--- Zac Stevens <zt...@cryptocracy.com> wrote:
> On Mon, Mar 31, 2003 at 08:42:16PM -0800, Rufoo
> wrote:
> >
> > --- gebser@ameritech.net wrote:
> > >
> > > I think you're mixing up http(s) headers and
> packet
> > > headers. The latter
> > > are visible to the proxy server but not the
> former.
> >
> >
> > A http proxy gets the target host's name from the
> GET
> > line, now in the case of https where is this
> > available?
>
> The client connects to the proxy and uses the
> 'CONNECT' method to establish
> a connection to the secure server. The argument to
> this method will be the
> hostname and port number of the secure server.
>
So the proxy mechanism here is different from that of
http/proxy. which rfc describes this (googling on
https+rfc is yeilding something on TLS and not SSL).
> I'm a little curious about your motivations here,
> Rufoo - are you just
> curious about how this all works, or do you have an
> application in mind?
> If the latter is the case, you'll probably get more
> helpful answers if you
> give an outline of what you're trying to achieve.
>
> Of course if you're just curious, that's great! I
> wish more people would
> take an interest in how these things work at a lower
> level :)
>
Yes, I am just curious.
> Cheers,
>
>
> Zac
>
Thanks
rf
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://platinum.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How does HTTPS work?
Posted by Zac Stevens <zt...@cryptocracy.com>.
On Mon, Mar 31, 2003 at 08:42:16PM -0800, Rufoo wrote:
>
> --- gebser@ameritech.net wrote:
> >
> > I think you're mixing up http(s) headers and packet
> > headers. The latter
> > are visible to the proxy server but not the former.
>
>
> A http proxy gets the target host's name from the GET
> line, now in the case of https where is this
> available?
The client connects to the proxy and uses the 'CONNECT' method to establish
a connection to the secure server. The argument to this method will be the
hostname and port number of the secure server.
I'm a little curious about your motivations here, Rufoo - are you just
curious about how this all works, or do you have an application in mind?
If the latter is the case, you'll probably get more helpful answers if you
give an outline of what you're trying to achieve.
Of course if you're just curious, that's great! I wish more people would
take an interest in how these things work at a lower level :)
Cheers,
Zac
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How does HTTPS work?
Posted by Rufoo <ru...@yahoo.com>.
--- gebser@ameritech.net wrote:
>
> I think you're mixing up http(s) headers and packet
> headers. The latter
> are visible to the proxy server but not the former.
A http proxy gets the target host's name from the GET
line, now in the case of https where is this
available?
>
> ken
>
> At 10:16 (UTC-0800) on Mon, 31 Mar 2003 Rufoo said:
>
> = What misled me is that I forgot that HTTPS
> = communication takes over a totally different port
> -
> = 443 and not 80, that is both http and https cannot
> go
> = over the same wire.
> =
> = Now, how do proxies work for https? proxies rely
> on
> = the http(s) headers, which are now not available.
> = Also, what is the semantics for page caching?
> =
> = Thanks
> = rf
> =
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://platinum.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org