You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Fiedler Roman <Ro...@ait.ac.at> on 2014/09/09 11:50:01 UTC

[users@httpd] mod_dumpio/forensic log and the quest for the lost bytes

Hello List,

I'm running an Apache on SSL with PFS and suspect, that there is something
hidden in a SSL request we are receiving because Apache does not respond
with the usual 404 (not found) but 400 (bad request) and I have no
explanation why.

To track down the strange request, I tried forensic logging and dumpio, but
found that some bytes are not logged both ways.

Does someone know a way to make apache log the zero byte (\0), followed by
200 zero-digits created by following requests? The following headers are
received, used and logged by Apache, just the part after \0 is missing.

(python -c 'import os; os.write(1, "GET / HTTP/1.1\x00%0200d\nHost:
[YOUR-HOSTNAME-HERE]\n\n" % (0))'; sleep 1) | socat - OPENSSL:
YOUR-HOSTNAME-HERE:443,verify=0 | xxd

This should have been the 225 bytes of the first line, I'm interested in:
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): 225 bytes
And here only few bytes are logged:
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): GET / HTTP/1.1
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): 39 bytes
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): Host:
YOUR-HOSTNAME-HERE \n

I do not want to reconfig apache and put an own custom SSL decrypt/reencrypt
before it to avoid subtle changes in SSL handshake to cause problems with
software in the field.

Thanks,
Roman


DI Roman Fiedler
Scientist
Safety & Security Department
Assistive Healthcare Information Technology

AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1  |  8020 Graz  |  Austria
T +43(0) 50550 2957  |  M +43(0) 664 8561599  |  F +43(0) 50550 2950
roman.fiedler@ait.ac.at | http://www.ait.ac.at/

FN: 115980 i HG Wien  |  UID: ATU14703506
http://www.ait.ac.at/Email-Disclaimer