|Summary:||allow to configure what mod_ssl responds when one doesn't talk TLS/SSL to the port|
|Product:||Apache httpd-2||Reporter:||Christoph Anton Mitterer <calestyo>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Christoph Anton Mitterer 2013-08-20 21:40:11 UTC
Hi. As discussed in bug 55364 (see there for more info), and as Eric insisted on yet another bug being opened for the "enhancement request", please implement the following enhancement. 1) Users should be able to control what happens, when someone connects to a https port, but doesn't speak TLS/SSL. Right now, a HTTP 0.9 response and HTML is sent, which is problematic due to not having even a Status code that indicates error. If any RFC don't suggest anything else, I'd say that the best solution of handling such a situation is simply closing the TCP connection, perhaps sending some SSL/TLS error notification if that exists. Anything else, might even be a security problem, when the client interprets the content (which doesn't even have a Content-Type). 2) Due to the (to my knowledge) non-standardish behaviour in sending a HTTP/HTML response in that situation,... and due to possible security issues with that, one can easily think of,... the "new" behaviour of responding nothing (or an SSL/TLS error indicator - if such thing exists) should be made default. Cheers, Chris. PS: In principle the proper severity for this is rather major, since it might have security implications.