SSL and HTTP 0.9
Igor Sysoev
is at rambler-co.ru
Sat Dec 1 13:57:50 MSK 2007
On Sat, Dec 01, 2007 at 11:15:47AM +0100, Manlio Perillo wrote:
> An user (symlynX) on the nginx IRC channel at Freenode reported that an
> HTTPS server returns unencrypted pages when a plain HTTP 0.9 request is
> received.
>
> He claims that this is a security problem, but I disagree (since when
> ssl_verify_client is enabled, nginx correctly returns an error), however
> I'm just curious to know why nginx behaves in this way.
Yes, I do not consider it as security bug, it's a usual bug.
The attached patch that fixes it.
--
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/http/ngx_http_request.c
===================================================================
--- src/http/ngx_http_request.c (revision 995)
+++ src/http/ngx_http_request.c (working copy)
@@ -1335,13 +1335,6 @@
return NGX_ERROR;
}
- if (r->plain_http) {
- ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
- "client sent plain HTTP request to HTTPS port");
- ngx_http_finalize_request(r, NGX_HTTP_TO_HTTPS);
- return NGX_ERROR;
- }
-
if (r->headers_in.connection_type == NGX_HTTP_CONNECTION_KEEP_ALIVE) {
if (r->headers_in.keep_alive) {
r->headers_in.keep_alive_n =
@@ -1409,6 +1402,13 @@
c = r->connection;
+ if (r->plain_http) {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent plain HTTP request to HTTPS port");
+ ngx_http_finalize_request(r, NGX_HTTP_TO_HTTPS);
+ return;
+ }
+
#if (NGX_HTTP_SSL)
if (c->ssl) {
More information about the nginx
mailing list