Are "client requested update" supported?

Hi,

I would like to try some client side requested upgrade to HTTP over TLS (cf.
section 3 of RFC2817). For that I had apache loading mod_ssl and I try to
send the following data to the server (using a telnet on port 80):

OPTIONS * HTTP/1.1\r\n
Host: ...\r\n
Upgrade: TLS/1.0\r\n
Connection: Upgrade\r\n
\r\n

I got "HTTP/1.1 200 Ok\r\n..." response instead of "HTTP/1.1 101 Switching
Protocols\r\n". I start to wonder if apache actually supports this... As
https works fine, I think my openssl/mod_ssl config is up and running.

It sounds like a dummy question to me but I walk through the docs without
the response.

Thanks in advance,

Adrien Felon


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.516 / Virus Database: 313 - Release Date: 01/09/2003


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Are "client requested update" supported?

On Fri, Sep 12, 2003 at 03:42:16PM +0200, Adrien Felon wrote:
> Hi,
>
> I would like to try some client side requested upgrade to HTTP over TLS (cf.
> section 3 of RFC2817). For that I had apache loading mod_ssl and I try to
> send the following data to the server (using a telnet on port 80):
>
> OPTIONS * HTTP/1.1\r\n
> Host: ...\r\n
> Upgrade: TLS/1.0\r\n
> Connection: Upgrade\r\n
> \r\n
>
> I got "HTTP/1.1 200 Ok\r\n..." response instead of "HTTP/1.1 101 Switching
> Protocols\r\n". I start to wonder if apache actually supports this... As
> https works fine, I think my openssl/mod_ssl config is up and running.
>
> It sounds like a dummy question to me but I walk through the docs without
> the response.
>
Up to version 2.0.x the answer is that there is no support for it.
For 2.1.x there might be some initial code to take care of that, but even if
it did make it into the tree, then it is more or less untested because there
are no clients for it.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Are "client requested update" supported?

> Up to version 2.0.x the answer is that there is no support for it.
> For 2.1.x there might be some initial code to take care of that, but even
if
> it did make it into the tree, then it is more or less untested because
there
> are no clients for it.

Interesting answer. Thanks! I asked this because I need to write an
SSL-aware HTTP client.

Whatever, I am now wondering how strong is the pressure to migrate from the
classical "https" scheme to the "client requested upgrade" (as I see these
as somehow alternatives, as the client explicitely request "https"...). As
far as I understand, RFC 2817 (May 2000...) clearly states that things like
HTTPS should be deprecated. So I wonder what the "market" says... You say
there is no client: am I really going to write the first one that supports
this? As apache starts to support it, I guess there might be some other
people looking fot it also.



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.516 / Virus Database: 313 - Release Date: 01/09/2003


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Are "client requested update" supported?

"Adrien Felon" writes:
> Whatever, I am now wondering how strong is the pressure to migrate from the
> classical "https" scheme to the "client requested upgrade" (as I see these
> as somehow alternatives, as the client explicitely request "https"...). As
> far as I understand, RFC 2817 (May 2000...) clearly states that things like
> HTTPS should be deprecated. So I wonder what the "market" says... You say
> there is no client: am I really going to write the first one that supports
> this? As apache starts to support it, I guess there might be some other
> people looking fot it also.
There's no pressure at all, and for good reason. RFC 2817 is
badly broken.

To take merely one example, it has a terrible interaction with
proxies.

-Ekr
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

SSL error message

Hi!

My users are using ID card for authentification.
If the ID card is missing or password is wrong,
users gets default msie errorpage "The page cannot be displayed".

I have declared all error messages in Apache conf file (errordocs a.s.o)
but it did not help.

How can i show for users some my own error page (for example, "Please insert
your ID card!")?

Apache SSL error.log is:
[Thu Sep 11 12:23:37 2003] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
[Thu Sep 11 12:23:37 2003] [error] mod_ssl: SSL handshake failed (server
erki_laptop/laev:443, client 172.100.60.2) (OpenSSL library error follows)

I'm using WinXP, OpenSA, Apache 1.3.7, OpenSSL 0.9.6b, Tomcat 4.1.

Tnx,
Erki

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL error message

Hello,

> How can i show for users some my own error page (for example, "Please insert
> your ID card!")?

Does the modssl have such a custom error message functionality?

Also, How can the server know whether the ID card is inserted or not?
The error message below only shows that the server does not recieve the
client certificate that was expected.

> Apache SSL error.log is:
> [Thu Sep 11 12:23:37 2003] [error] OpenSSL: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> [Hint: No CAs known to server for verification?]
> [Thu Sep 11 12:23:37 2003] [error] mod_ssl: SSL handshake failed (server
> erki_laptop/laev:443, client 172.100.60.2) (OpenSSL library error follows)

The solution would be to have your application check whether the ID card
is inserted and make sure your certficate there before you send the SSL
message.

-Kiyoshi
Kiyoshi Watanabe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL error message

I am away until the 1st of October 2003.
I will get back to you as soon as i can when I return.
If the matter is urgent and concerns OASIS, MUBSWEB or MUBS Online
then please contact one of the other members of the OLSU team.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org