Bug 44907 - SSL 400 Bad Request with no status and headers
Summary: SSL 400 Bad Request with no status and headers
Status: RESOLVED WONTFIX
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.2.8
Hardware: Sun Solaris
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-30 01:32 UTC by Christian Liesch
Modified: 2008-08-06 08:03 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Liesch 2008-04-30 01:32:36 UTC 
If I do send plain HTTP to an SSL enabled vhost the expected 400 Bad Request Answer do not have any HTTP headers nor a status line only the HTML is sent.

Request:
GET /foobar HTTP/1.1 
Host: localhost  

Response:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"
<html><head
<title>400 Bad Request</title
</head><body
<h1>Bad Request</h1
<p>Your browser sent a request that this server could not understand.<br /
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /
Instead use the HTTPS scheme to access this URL, please.<br /
<blockquote>Hint: <a href="https://xxx:yyy/"><b>https://xxx:yyy/</b></a></blockquote></p
</body></html OK
Comment 1 Christian Liesch 2008-04-30 05:14:10 UTC 
I think the problem is, that mod ssl does consume the bytes before it sees that this is not ssl. As soon as it detect something other than SSL it does a dummy bucket with "GET /" into the bucket brigade.

This "GET /" does lead to r->assbackward == 1 which means HTTP/0.9. In this case no headers at all is not a wrong behavour.
Comment 2 Joe Orton 2008-08-06 08:03:11 UTC 
Yeah.  It's an 80% solution; browsers will grok that response as HTML anyway, but if they don't, well, sending them an SSL alert would have confused them just as much.