osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: minor nit in mod_ssl


Thanks.

Regards

Rüdiger

> -----Ursprüngliche Nachricht-----
> Von: Stefan Eissing <stefan.eissing@xxxxxxxxxxxxx>
> Gesendet: Donnerstag, 20. September 2018 11:58
> An: dev@xxxxxxxxxxxxxxxx
> Betreff: Re: minor nit in mod_ssl
> 
> Fair enough. Done in r1841455.
> 
> > Am 20.09.2018 um 11:53 schrieb Plüm, Rüdiger, Vodafone Group
> <ruediger.pluem@xxxxxxxxxxxx>:
> >
> > Correct, but the issue is that as an admin you do not always get the
> error page that a client sees and you have to search for the cause
> without.
> > Especially in this case as non SNI clients are often not browsers but
> non interactive programs.
> >
> > Regards
> >
> > Rüdiger
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Stefan Eissing <stefan.eissing@xxxxxxxxxxxxx>
> >> Gesendet: Donnerstag, 20. September 2018 11:46
> >> An: dev@xxxxxxxxxxxxxxxx
> >> Betreff: Re: minor nit in mod_ssl
> >>
> >> I am not opposed. However, there is an explanation added to the
> request
> >> error notes, which normally appears in the 403 response if I am not
> >> mistaken?
> >>
> >> -Stefan
> >>
> >>> Am 20.09.2018 um 11:40 schrieb Plüm, Rüdiger, Vodafone Group
> >> <ruediger.pluem@xxxxxxxxxxxx>:
> >>>
> >>> Can we have set it to info? Debug is very verbose for SSL just to
> find
> >> out why a HTTP request was replied to with a 403.
> >>>
> >>> Regards
> >>>
> >>> Rüdiger
> >>>
> >>> Von: William A Rowe Jr <wrowe@xxxxxxxxxxxxx>
> >>> Gesendet: Montag, 17. September 2018 22:27
> >>> An: httpd <dev@xxxxxxxxxxxxxxxx>
> >>> Betreff: Re: minor nit in mod_ssl
> >>>
> >>> On Mon, Sep 17, 2018 at 2:56 AM Stefan Eissing
> >> <stefan.eissing@xxxxxxxxxxxxx> wrote:
> >>>>
> >>>> mod_ssl/ssl_engine.kernel.c, 353: logs ERR (APLOGNO(02033)) when
> >> strict_sni_vhost_check is enabled and a request comes in without SNI.
> >>>>
> >>>> Question: is a downgrade from ERR to INFO/DEBUG backportable or do
> >> we consider this a break of compatibility?
> >>>
> >>>
> >>>
> >>> On Mon, Sep 17, 2018 at 10:43 AM William A Rowe Jr <wrowe@rowe-
> >> clan.net> wrote:
> >>>>
> >>>> It is entirely appropriate to turn down the volume. That's what
> >> module-by-module loglevels are there for.
> >>>
> >>>
> >>> This is the loglevel of typical garbage request streams;
> >>>
> >>> [Mon Sep 17 11:44:43.036820 2018] [core:debug] [pid 26317:tid
> >> 140199172134656] protocol.c(965): (20014)Internal error (specific
> >> information not available): [client 127.0.0.1:34974] Failed to read
> >> request header line (null)
> >>> [Mon Sep 17 11:44:43.036871 2018] [core:debug] [pid 26317:tid
> >> 140199172134656] protocol.c(1318): [client127.0.0.1:34974] AH00567:
> >> request failed: error reading the headers
> >>> [Mon Sep 17 15:24:46.146311 2018] [core:debug] [pid 26413:tid
> >> 140199180527360] protocol.c(860): [client127.0.0.1:35330] AH02418:
> HTTP
> >> Request Line; Unrecognized protocol 'HTTP/1.xx' (perhaps whitespace
> was
> >> injected?)
> >>>
> >>> It seems that TLS missing SNI fits this same debug-level pattern of
> >> diagnostics.
> >