Bug 55458 - allow to configure what mod_ssl responds when one doesn't talk TLS/SSL to the port
Summary: allow to configure what mod_ssl responds when one doesn't talk TLS/SSL to the...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-20 21:40 UTC by Christoph Anton Mitterer
Modified: 2013-08-20 21:40 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Anton Mitterer 2013-08-20 21:40:11 UTC 
Hi.

As discussed in bug 55364 (see there for more info), and as Eric insisted on yet another bug being opened for the "enhancement request", please implement the following enhancement.


1) Users should be able to control what happens, when someone connects to a https port, but doesn't speak TLS/SSL.

Right now, a HTTP 0.9 response and HTML is sent, which is problematic due to not having even a Status code that indicates error.

If any RFC don't suggest anything else, I'd say that the best solution of handling such a situation is simply closing the TCP connection, perhaps sending some SSL/TLS error notification if that exists.

Anything else, might even be a security problem, when the client interprets the content (which doesn't even have a Content-Type).


2) Due to the (to my knowledge) non-standardish behaviour in sending a HTTP/HTML response in that situation,... and due to possible security issues with that, one can easily think of,... the "new" behaviour of responding nothing (or an SSL/TLS error indicator - if such thing exists) should be made default.


Cheers,
Chris.

PS: In principle the proper severity for this is rather major, since it might have security implications.