List Info

Thread: DO NOT REPLY New: - SSL: using connection: upgrade leaves plaintext from PHP in reply
DO NOT REPLY New: - SSL: using connection: upgrade leaves plaintext from PHP in reply
user name
 2006-12-22 05:59:47 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41
231>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41231

           Summary: SSL: using connection: upgrade leaves
plaintext from PHP
                    in reply
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Keywords: TryAgain
          Severity: major
          Priority: P3
         Component: mod_ssl
        AssignedTo: bugshttpd.apache.org
        ReportedBy: michaelmaxspot.de


I'm issuing a request:

GET /index.php HTTP/1.1
Host: localhost
Upgrade: TLS/1.0
Connection: upgrade

And my client crashes because it can't parse the plaintext
given back by 
index.php (which contains <?php for ($i = 0; $i < 10;
$i++) echo "foobar"; ?>). 
In strace it's clearly visible:
[pid 16349] recv(8,
"2431112631000f212W33527316L35235730
5432204311376
264a4l367017303e224202370!36127131132036035621
0ZN255w314
~351377=}250irfoobarfoobarfoobarfoobarfoobarfoobarfoobarf
oobarfoobarfoobar",
2048, 0) = 119

If an OPTION * HTTP/1.1-request is sent before, it correctly
switches and 
processes the next request.

You can reproduce it by using tlsupgrade.c:
Get http://people.apache.org/~bnicholes/tlsupgrade/tlsupg
rade.c
Compile it with gcc -lssl -o tlsupgrade tlsupgrade.c
Run it using: strace -s 2048 ./tlsupgrade http://localhost/index.php

SSLEngine needs to be set to optional for the vhost (on port
80).

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: bugs-unsubscribehttpd.apache.org
For additional commands, e-mail: bugs-helphttpd.apache.org
DO NOT REPLY - SSL: using connection: upgrade leaves plaintext from PHP in reply
country flaguser name
United States		 2007-11-06 09:03:31 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41
231>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41231


jortonredhat.com changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From jortonredhat.com  2007-11-06 07:03 -------
Fixed on trunk:  http://svn.apache.org/viewvc?view=rev&revision=5924
46

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.

------------------------------------------------------------
---------
To unsubscribe, e-mail: bugs-unsubscribehttpd.apache.org
For additional commands, e-mail: bugs-helphttpd.apache.org
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )