SSL and HTTP 0.9

Igor Sysoev is at rambler-co.ru
Sat Dec 1 13:57:50 MSK 2007


On Sat, Dec 01, 2007 at 11:15:47AM +0100, Manlio Perillo wrote:

> An user (symlynX) on the nginx IRC channel at Freenode reported that an 
> HTTPS server returns unencrypted pages when a plain HTTP 0.9 request is 
> received.
> 
> He claims that this is a security problem, but I disagree (since when 
> ssl_verify_client is enabled, nginx correctly returns an error), however 
> I'm just curious to know why nginx behaves in this way.

Yes, I do not consider it as security bug, it's a usual bug.
The attached patch that fixes it.


-- 
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/http/ngx_http_request.c
===================================================================
--- src/http/ngx_http_request.c	(revision 995)
+++ src/http/ngx_http_request.c	(working copy)
@@ -1335,13 +1335,6 @@
         return NGX_ERROR;
     }
 
-    if (r->plain_http) {
-        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
-                      "client sent plain HTTP request to HTTPS port");
-        ngx_http_finalize_request(r, NGX_HTTP_TO_HTTPS);
-        return NGX_ERROR;
-    }
-
     if (r->headers_in.connection_type == NGX_HTTP_CONNECTION_KEEP_ALIVE) {
         if (r->headers_in.keep_alive) {
             r->headers_in.keep_alive_n =
@@ -1409,6 +1402,13 @@
 
     c = r->connection;
 
+    if (r->plain_http) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                      "client sent plain HTTP request to HTTPS port");
+        ngx_http_finalize_request(r, NGX_HTTP_TO_HTTPS);
+        return;
+    }
+
 #if (NGX_HTTP_SSL)
 
     if (c->ssl) {


More information about the nginx mailing list