SSL and HTTP 0.9
Manlio Perillo
manlio_perillo at libero.it
Sat Dec 1 14:16:52 MSK 2007
Igor Sysoev ha scritto:
> On Sat, Dec 01, 2007 at 11:15:47AM +0100, Manlio Perillo wrote:
>
>> An user (symlynX) on the nginx IRC channel at Freenode reported that an
>> HTTPS server returns unencrypted pages when a plain HTTP 0.9 request is
>> received.
>>
>> He claims that this is a security problem, but I disagree (since when
>> ssl_verify_client is enabled, nginx correctly returns an error), however
>> I'm just curious to know why nginx behaves in this way.
>
> Yes, I do not consider it as security bug, it's a usual bug.
Ah, so its actually a bug :).
> The attached patch that fixes it.
>
Ok, tested.
Manlio Perillo
More information about the nginx
mailing list