You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Fiedler Roman <Ro...@ait.ac.at> on 2014/09/09 11:50:01 UTC
[users@httpd] mod_dumpio/forensic log and the quest for the lost bytes
Hello List,
I'm running an Apache on SSL with PFS and suspect, that there is something
hidden in a SSL request we are receiving because Apache does not respond
with the usual 404 (not found) but 400 (bad request) and I have no
explanation why.
To track down the strange request, I tried forensic logging and dumpio, but
found that some bytes are not logged both ways.
Does someone know a way to make apache log the zero byte (\0), followed by
200 zero-digits created by following requests? The following headers are
received, used and logged by Apache, just the part after \0 is missing.
(python -c 'import os; os.write(1, "GET / HTTP/1.1\x00%0200d\nHost:
[YOUR-HOSTNAME-HERE]\n\n" % (0))'; sleep 1) | socat - OPENSSL:
YOUR-HOSTNAME-HERE:443,verify=0 | xxd
This should have been the 225 bytes of the first line, I'm interested in:
Sep 9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in (data-TRANSIENT): 225 bytes
And here only few bytes are logged:
Sep 9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in (data-TRANSIENT): GET / HTTP/1.1
Sep 9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
Sep 9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in (data-TRANSIENT): 39 bytes
Sep 9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in (data-TRANSIENT): Host:
YOUR-HOSTNAME-HERE \n
I do not want to reconfig apache and put an own custom SSL decrypt/reencrypt
before it to avoid subtle changes in SSL handshake to cause problems with
software in the field.
Thanks,
Roman
DI Roman Fiedler
Scientist
Safety & Security Department
Assistive Healthcare Information Technology
AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1 | 8020 Graz | Austria
T +43(0) 50550 2957 | M +43(0) 664 8561599 | F +43(0) 50550 2950
roman.fiedler@ait.ac.at | http://www.ait.ac.at/
FN: 115980 i HG Wien | UID: ATU14703506
http://www.ait.ac.at/Email-Disclaimer