[Bug 61519] New: "SSLEngine optional" and http:// redirects if traling slash in the url is missing

classic Classic list List threaded Threaded
47 messages Options
123
Reply | Threaded
Open this post in threaded view
|

[Bug 61519] New: "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

            Bug ID: 61519
           Summary: "SSLEngine optional" and http:// redirects if traling
                    slash in the url is missing
           Product: Apache httpd-2
           Version: 2.4.27
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

* /cms/ is a physical folder
* user missed the trailing /
* while the request was https:// the rdirect goes to http://
* in case a script has a check and redirects non-https to https -> endless-loop

<VirtualHost *:80 *:443>
 DocumentRoot "/www/contentlounge"
 ServerName contentlounge.rhsoft.net
 SSLEngine optional
 SSLCertificateFile "conf/ssl/rhsoft.net.pem"
</VirtualHost>

[harry@srv-rhsoft:~]$ curl --head --insecure https://contentlounge/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 14 Sep 2017 09:40:27 GMT
X-DNS-Prefetch-Control: off
X-Content-Type-Options: nosniff
X-Response-Time: D=1311 us
Location: http://contentlounge/cms/
Cache-Control: max-age=0
Expires: Thu, 14 Sep 2017 09:40:27 GMT
Content-Type: text/html; charset=iso-8859-1

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #1 from Reindl Harald <[hidden email]> ---
my connection is for sure https:// because of the mod_rewrite and finally HSTS

phpinfo():
SERVER_PORT     80

<VirtualHost *:80 *:443>
 ServerName www.rhsoft.net
 SSLEngine Optional
 SSLUseStapling On
 SSLCertificateFile "certs/rhsoft-www.conf_rsa.pem"
 SSLCertificateFile "certs/rhsoft-www.conf_ecdsa.pem"
 <IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTPS} off
  RewriteRule (.*) <a href="https://%">https://%{HTTP_HOST}%{REQUEST_URI}
 </IfModule>
 <IfModule mod_headers.c>
  Header always set "Strict-Transport-Security" "max-age=31536000"
 </IfModule>
</VirtualHost>

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

Reindl Harald <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |critical

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #2 from Reindl Harald <[hidden email]> ---
can we PLEASE get this bug fixed since it's root cause has a lot of
implications

in PHP header('Location: /something.php');on a site where you already are
connected via https:// also leadins in httpd redirect to
http://example.com/something.php with all sort of troubles

i can reproduce this issue every single day when login into a demo-cms on my
machine, the bookmark is https://, i just add cms/ tu the URL which redirect to
the login-page and voila you lost you https-url

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

Eric Covener <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #3 from Eric Covener <[hidden email]> ---
Tried to look at this, but curl couldn't access my 'SSLEngine optional'
vhost over https.  Evidently 'SSLEngine optional' is meant to allow HTTPS
upgrade over HTTP, not just optionally doing normal TLS on the connection.

Some trick in your environment or envvar that influences curl?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #4 from Reindl Harald <[hidden email]> ---
nothing special here, a lot of vhosts configured that way on Fedora 26 / Fedora
27 and it works also for any client as well as https://www.ssllabs.com/ssltest/

curl-7.55.1-10.fc27.x86_64
openssl-1.1.0g-1.fc27.x86_64
httpd-2.4.33-3.0.fc27.20180321.rh.sandybridge.x86_64
apr-1.6.3-6.0.fc27.20180318.rh.sandybridge.x86_64
apr-util-1.6.1-4.0.fc27.20180318.rh.sandybridge.x86_64

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #5 from Eric Covener <[hidden email]> ---
(In reply to Reindl Harald from comment #4)
> nothing special here, a lot of vhosts configured that way on Fedora 26 /
> Fedora 27 and it works also for any client as well as
> https://www.ssllabs.com/ssltest/
>
> curl-7.55.1-10.fc27.x86_64
> openssl-1.1.0g-1.fc27.x86_64
> httpd-2.4.33-3.0.fc27.20180321.rh.sandybridge.x86_64
> apr-1.6.3-6.0.fc27.20180318.rh.sandybridge.x86_64
> apr-util-1.6.1-4.0.fc27.20180318.rh.sandybridge.x86_64

Are you certain you're hitting the listed config and TLS isn't terminated
somewhere else?  related but separately helpful, can you add a unique access
log to that vhost and append this to your logformat:

Host=%{Host}i localport=%{local}p L=%{Location}o Via=%{Via}i

to whatever your current logformat is?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #6 from Reindl Harald <[hidden email]> ---
i can remember that you need at least *one* default host with "SSLEngine On" to
make mod_ssl initialize correctly and the others than can be combined ones

[root@srv-rhsoft:~]$ cat conf/sites_enabled/0000-default.conf
# letsencrypt-managed
<VirtualHost _default_:80>
 <Location />
  Require all denied
 </Location>
 <Location /.well-known>
  Require all granted
 </Location>
</VirtualHost>
<VirtualHost _default_:443>
 ServerName default.local.rhsoft.net
 ServerAlias default.rh.thelounge.net
 SSLCertificateFile "/var/lib/letsencrypt/certs/0000-default.conf_rsa.pem"
 SSLCertificateFile "/var/lib/letsencrypt/certs/0000-default.conf_ecdsa.pem"
 SSLEngine On
 <Location />
  Require all denied
 </Location>
 <Location /.well-known>
  Require all granted
 </Location>
</VirtualHost>


i am 100% certain bcause i am the one-man-show serveradmin for the whole stack
from switches over virtualization down to the php software running on top

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #7 from Reindl Harald <[hidden email]> ---
practical example:

the folder /cms/ contains a "index.php" with header('Location: ../cms.php');

when you call the url with the traiing slash the relative redirect is
sent-as-is to the client and all is fine

without the trailing slash the typical httpd-redirect-behavior when calling
folders without a trailing slash is triggered and since httpd don't "know"
correctly about port/protocol somewhere deep insinde it redirects to http://

one could now say RFC mandates a fulkl-qualified redirect but the nature of
this bug makes this impossible because server-variables like
$_SERVER['SERVER_PORT'] giving 80 instead 443 to the script it's even not
possible to form a full-qualified URL within scripts

[harry@srv-rhsoft:~]$ curl --head https://local.rhsoft.net/cms/
HTTP/1.1 302 Found
Date: Thu, 22 Mar 2018 11:54:17 GMT
Location: ../cms.php
X-Content-Type-Options: nosniff
X-Response-Time: D=2584 us
Cache-Control: no-cache, no-store
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=ISO-8859-1

[harry@srv-rhsoft:~]$ curl --head https://local.rhsoft.net/cms
HTTP/1.1 301 Moved Permanently
Date: Thu, 22 Mar 2018 11:54:32 GMT
Location: http://local.rhsoft.net/cms/
Content-Type: text/html; charset=iso-8859-1

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #8 from Eric Covener <[hidden email]> ---
> this bug makes this impossible because server-variables like
> $_SERVER['SERVER_PORT'] giving 80 instead 443 to the script it's even not
> possible to form a full-qualified URL within scripts

yes, lots of stuff doesn't work with this unusual config.  Is it worth putting
*:80 in the same VHost?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #9 from Reindl Harald <[hidden email]> ---
it IS worth when you have some hundrets of virtual hosts on dozens of machines
which all have php_admin_value settings for open_basedir and so on and as we do
migrate to everything-encrypted with letsencrypt certificates

as you need to listen at port 80 even when you send HSTS headers and redirect
after the first non-ssl connection this would mean 500 additional cloned
<VirtualHost> definitions

in our case we decide via DNS if a domain goes over the TLS-offloading proxy or
if it is a low-traffic site directly to the apache server and so every
<VirtualHost> contains the construct below

 <IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{CONN_REMOTE_ADDR} !^proxy-lan-ip
  RewriteCond %{HTTPS} off
  RewriteRule (.*) <a href="https://%">https://%{HTTP_HOST}%{REQUEST_URI}
 </IfModule>

proxy-configuration is generated based on parsed vhost-config-files from the
origins - including look at that redirect stuff to make the decision if the
procy itself should redirect to https before contact the origin at all

you *really* don't want to deal with hundrets of cloned VirtualHost-definiton
or even worse with special treatment instead of such a unified "fits all"
configuration

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

Reindl Harald <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #10 from Reindl Harald <[hidden email]> ---
httpd has a completly split brain here


Apache Environment from phpinfo():
HTTPS on
SSL_TLS_SNI local.rhsoft.net
HTTP_HOST local.rhsoft.net
SERVER_NAME local.rhsoft.net
SERVER_PORT 80
REQUEST_SCHEME http

focus on the "HTTPS" which is corrent versus wrong "SERVER_PORT" and
"REQUEST_SCHEME" - thi smakes it possible to put some hacks in php-libraries
and overwrite it so that most scripts behave correctly

but you can't hack the wrong redirect to http:// when one tries to access a
folder without the trailing slash because that redirect is done by httpd itself
and fianlyl you have a *real probem* in your client becasue proper sent cookies
with secure-Flags are gone, logins don#t work, you don't realize that you
unintenionally switched to unecnrypted and that leads to support calls for
every single vhost which get mirgated to dual-stack and letsencrypt

you *clearly* know the fact it's https, so REQUEST_SCHEME is easily to fix and
you know the incoming port from the network layer - frankly there is no sane
reason to get that wrong and set it to 80 when the lcient is connected to 443

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #11 from Eric Covener <[hidden email]> ---
(In reply to Reindl Harald from comment #10)

> HTTPS on
> REQUEST_SCHEME http

To recap, when you handshake with an "SSLEngine on" vhost then your request is
handled by an "SSLEngine optional" (which means starttls) vhost, these two
variables disagree and redirects send you to http://.

The former is set by ssl_hook_Fixup and looks for the SSL connection-level
config if the vhost has "sslengine optional".

The bits that go into fully-qualifying a redirect do not look to see if SSL is
currently active on the config:


static const char *ssl_hook_http_scheme(const request_rec *r)
{
    SSLSrvConfigRec *sc = mySrvConfig(r->server);

    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled ==
SSL_ENABLED_OPTIONAL) {
        return NULL;
    }

    return "https";
}

static apr_port_t ssl_hook_default_port(const request_rec *r)
{
    SSLSrvConfigRec *sc = mySrvConfig(r->server);

    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled ==
SSL_ENABLED_OPTIONAL) {
        return 0;
    }

    return 443;
}


I don't know if those decisions make sense for actual "SSLengine optional"
which is starttls, not simultaneous SSL and non-SSL.  It looks like you've
misunderstood "SSLEngine optional" and are saving a few lines of copy/paste to
use a broken configuration.  Maybe a different "optional" value is needed to
allow opt-in to this alt behavior for an obscure config.

Maybe someone else feels more confident about the safety and more willing to
put up with reading your unnecessarily dramatic updates.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #12 from Reindl Harald <[hidden email]> ---
i doubt that "SSLengine optional" is STARTTLS, for sure not when you type
https:// in your browser - anyways, irrelevant, the port is just plain wrong
because with https:// the browser definitly don't connect to port 80 at all

the redirect to http:// because of a missing trailing slash wenn you call a
directory with a DirectoryIndex-file is wrong when "HTTPS on" is known

and this all is a real problem because it introuces all sorts of hidden
troubles and currently the only solution would be configure the whole
<VirtualHost> twice which don't scale for larger setups

i don't know the internals but they should not be that complex to begin with
that in this context any problems can be triggered when a client just calls
"https://example.com/myfolder" because the fact that it was https is obviously
known, the port itself is known on the network layer and REQUEST_SCHEME is
pretty simple known by the fact of "HTTPS on" is correct

what happens when you have <VirtualHost *:80 *:81 *:82> without https part of
the game? does then also 80 "win" and why when it's pretty simple to konw the
port by the fact that there is a socket connection and config-guessing is
pretty useless because of that

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #13 from Eric Covener <[hidden email]> ---
(In reply to Reindl Harald from comment #12)
> i doubt that "SSLengine optional" is STARTTLS, for sure not when you type
> https:// in your browser - anyways, irrelevant, the port is just plain wrong
> because with https:// the browser definitly don't connect to port 80 at all

The manual says it's for starrtls, which you're not using, but it's what makes
the absolute basics of your specific config appear to work until a redirect is
generated.

> and this all is a real problem because it introuces all sorts of hidden
> troubles and currently the only solution would be configure the whole
> <VirtualHost> twice which don't scale for larger setups

It works for nearly everyone else.

>
> i don't know the internals but they should not be that complex to begin with
> that in this context any problems can be triggered when a client just calls
> "https://example.com/myfolder" because the fact that it was https is
> obviously known, the port itself is known on the network layer and
> REQUEST_SCHEME is pretty simple known by the fact of "HTTPS on" is correct


In the context of STARTTLS it seems reasonable. Optional was poorly named, but
it was clearly never meant to be used for requests that already negotiated SSL
at the connection level (in a default vhost).


> what happens when you have <VirtualHost *:80 *:81 *:82> without https part
> of the game? does then also 80 "win" and why when it's pretty simple to konw
> the port by the fact that there is a socket connection and config-guessing
> is pretty useless because of that

No, the port or absence of a port in the Host: header "wins".  Even getting the
port right is surprisingly not as simple as you'd think.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #14 from Reindl Harald <[hidden email]> ---
> It works for nearly everyone else

that's just an opinion - "nearly everyone else" don't look on the details and
mostly don't figure out from where random problems are coming or configures for
600 domains 1200 vhsost like a trained monkey

that scaled in times when you had a few https hosts becasue you needed time and
money for the certs but not now when Google announced that Chrome will start to
warn on every non-https page

anyways, i stell need to see any client that is using STARTTLS you are talking
the whole time about for http - when you type "https://example.com/directory"
there is no STARTTLS at all

at least your definition of STARTTLS is not compatible with the rest of the
world and protocols like IMAP/POP3/SMTP where STARTTLS is always teh default
service port and TLS/SSL is a different port - no browser is using anything
like that on Port 443 and we are not talking about anything similar when the
server listens on 443 and you type https:// in your client - port 80 is not
part of the game at all

> Even getting the port right is surprisingly not as simple as you'd think

why? i can't imagine anything simpler for a server than to determine the port
the client connected to

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #15 from Eric Covener <[hidden email]> ---
> anyways, i stell need to see any client that is using STARTTLS you are
> talking the whole time about for http - when you type
> "https://example.com/directory" there is no STARTTLS at all

The whole point is that you're using a configuration for STARTTLS but not using
STARTLS.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #16 from Reindl Harald <[hidden email]> ---
even if - how does that justify a redirect from https://exmaple.com/cms to
http://example.com/cms/ which is a *downgrade* to unecrypted instead a *uprade*
to TLS

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #17 from Eric Covener <[hidden email]> ---
(In reply to Reindl Harald from comment #16)
> even if - how does that justify a redirect from https://exmaple.com/cms to
> http://example.com/cms/ which is a *downgrade* to unecrypted instead a
> *uprade* to TLS

I assume STARTTLS would be used on an http port. So the other end is supposed
to cotinue using the upgraded connection or open and upgrade a new one. If you
just wanted them to connect over TLS to port 443 you wouldn't bother with
explicitly enabling STARTTLS.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61519] "SSLEngine optional" and http:// redirects if traling slash in the url is missing

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61519

--- Comment #18 from Reindl Harald <[hidden email]> ---
> If you just wanted them to connect over TLS to port 443 you
> wouldn't bother with explicitly enabling STARTTLS

the whole point of the config is to have one instead two mostly redundant
<VirtualHost> and it works well besides a few issues

the redirect we are talking here about is this:
https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryslash

and *no* there is no valid reason when "HTTPS on" is correctly set within httpd
that this rediect goes to http:// - would you please stop argue about STARTTLS
which is *not* the topic at all

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

123