OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: minor nit in mod_ssl


Correct, but the issue is that as an admin you do not always get the error page that a client sees and you have to search for the cause without.
Especially in this case as non SNI clients are often not browsers but non interactive programs.

Regards

Rüdiger

> -----Ursprüngliche Nachricht-----
> Von: Stefan Eissing <stefan.eissing@xxxxxxxxxxxxx>
> Gesendet: Donnerstag, 20. September 2018 11:46
> An: dev@xxxxxxxxxxxxxxxx
> Betreff: Re: minor nit in mod_ssl
> 
> I am not opposed. However, there is an explanation added to the request
> error notes, which normally appears in the 403 response if I am not
> mistaken?
> 
> -Stefan
> 
> > Am 20.09.2018 um 11:40 schrieb Plüm, Rüdiger, Vodafone Group
> <ruediger.pluem@xxxxxxxxxxxx>:
> >
> > Can we have set it to info? Debug is very verbose for SSL just to find
> out why a HTTP request was replied to with a 403.
> >
> > Regards
> >
> > Rüdiger
> >
> > Von: William A Rowe Jr <wrowe@xxxxxxxxxxxxx>
> > Gesendet: Montag, 17. September 2018 22:27
> > An: httpd <dev@xxxxxxxxxxxxxxxx>
> > Betreff: Re: minor nit in mod_ssl
> >
> > On Mon, Sep 17, 2018 at 2:56 AM Stefan Eissing
> <stefan.eissing@xxxxxxxxxxxxx> wrote:
> > >
> > > mod_ssl/ssl_engine.kernel.c, 353: logs ERR (APLOGNO(02033)) when
> strict_sni_vhost_check is enabled and a request comes in without SNI.
> > >
> > > Question: is a downgrade from ERR to INFO/DEBUG backportable or do
> we consider this a break of compatibility?
> >
> >
> >
> > On Mon, Sep 17, 2018 at 10:43 AM William A Rowe Jr <wrowe@rowe-
> clan.net> wrote:
> > >
> > > It is entirely appropriate to turn down the volume. That's what
> module-by-module loglevels are there for.
> >
> >
> > This is the loglevel of typical garbage request streams;
> >
> > [Mon Sep 17 11:44:43.036820 2018] [core:debug] [pid 26317:tid
> 140199172134656] protocol.c(965): (20014)Internal error (specific
> information not available): [client 127.0.0.1:34974] Failed to read
> request header line (null)
> > [Mon Sep 17 11:44:43.036871 2018] [core:debug] [pid 26317:tid
> 140199172134656] protocol.c(1318): [client127.0.0.1:34974] AH00567:
> request failed: error reading the headers
> > [Mon Sep 17 15:24:46.146311 2018] [core:debug] [pid 26413:tid
> 140199180527360] protocol.c(860): [client127.0.0.1:35330] AH02418: HTTP
> Request Line; Unrecognized protocol 'HTTP/1.xx' (perhaps whitespace was
> injected?)
> >
> > It seems that TLS missing SNI fits this same debug-level pattern of
> diagnostics.