-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connecting via HTTP (unsecure) to tls-rustls
-enabled HTTP/2 server returns an obsolete HTTP/0.9 response
#121
Comments
tls-rustls
-enabled HTTP/2 server returns an obsolete HTTP/0.9 responsetls-rustls
-enabled HTTP/2 server returns an obsolete HTTP/0.9 response
I'm not entirely sure what the issue is. I would have to go through the spec and figure out exactly how HTTP is supposed to react to that, but I would appreciate if you go into more detail. |
I haven't tried that, and I don't think anyone wants to.
Without it (I don't remember) it won't show the response or something. The problem is that response is being downgraded, which is not how web works, AFAIK. The downgraded version is also the discontinued HTTP/0.9 which is also outputs some garbage that I don't understand. This whole mess shouldn't exist and if you try to access an HTTPS-only sever via HTTP it instead should return some standard error (I really hope that there is a standard way of handling this situation) with client's/request's version of HTTP response (not downgraded nor upgraded), i.e., with HTTP/1.1 response in this case.
"Details" of what exactly? |
Unfortunately I have a hard time parsing out the issue, it would be really helpful if you can describe your issue more concisely for me. E.g.
I don't think its a bug to accept HTTP/0.9 requests, a HTTP/0.9 response however would be one.
I can't find an example in your OP of a downgrade.
Getting access to a HTTPS only server over HTTP would be a very serious bug! After doing a lot of different attempts, I had some similar output to yours, but that is not the response, that is the request! I also realized why you were using E.g. using Following
You can reproduce the exact same response with cURL as well if you circumvent the error message by "allowing" HTTP/0.9: I hope this solved the mystery. |
Easy:
Because otherwise the
Going from HTTP version 1.1 to 0.9 is downgrading, the way I see it. You can't decrease version or security level, only increase. The same way you can go from HTTP to HTTPS, but not the other way around.
Run
No. Client sends a currently standard HTTP/1.1 request since it's man page
Yes, so the
So if 2 of the most popular CLI tools says that a response without headers is an HTTP/0.9 response, then it's probably correct. We can ask their maintainers or someone else about this matter to confirm. I realized that since it's all bytes from the
I guess the mystery of what those 7 bytes mean — yes, but... I probably need to find information about this.
Well, I guess that's the answer. It looks like requesting anything unsecure from a secure-only server is not a proper communication implementation. Though this is not directly says here, I don't know where could this be mentioned. Maybe in RFC for SSL/HTTPS (if it exists)? In a browser, it shows those 7 bites in an empty page without any network logs. So the solution really is to separately process |
Well, I think we can definitely say that this is incorrect. Considering that they do actually support the TLS protocol, I guess they could try and improve their protocol detection mechanism?
Honestly, this all seems like the most obvious outcome to me. Some well meaning feedback:
This is the server response.
This is the client request. But your problem is that the server response is HTTP/0.9. The most crucial piece of information is how you established that the server response is HTTP/0.9. I only found out by not using your commands and seeing the cURL error response.
This is supposed to give structure to your issue report to reduce any misinterpretation and confusion on my side. E.g.:
Notes: Repeat this patterns for multiple scenarios instead of merging them all in one. I hope this is taken as constructive feedback, in no way is this meant as any form of disrespect. In that light, I will close the issue. |
Here is a MWA:
I also created an SSL certificate and a private key with:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=localhost"
Here is what I get with
curl -sSLD - --cacert cert.pem --http0.9 http://localhost:3000 | bat -Ap
:And here is what I get with
curl -sSLD - --cacert cert.pem --http0.9 https://localhost:3000 | bat -Ap
:If instead of secure server (2) I use unsecure one (3) I get (HTTP):
and (HTTPS):
For dual protocol version (1) I get
HTTP/2 200
for HTTPS andHTTP/1.1 200 OK
for HTTP when.set_upgrade(true)
isn't used, and if it is used thenHTTP/2 200
for HTTPS andHTTP/1.1 301 Moved Permanently
+HTTP/2 200
for HTTP.This is very closely related to #48, but I figured that this is a bug, rather than a feature request, because the server neither used HTTP/1.1 (OK) as a response nor sent an error response (HTTP/1.1 5xx). Since the first case means basically the same what #48 describes (IIUC), then the only other thing left is to send some error response (I don't know if this must be 5xx or some other one). This is also the easiest of the two, IIUC.
If neither can be implemented, then this behavior should be documented (HTTP/0.9 response).
The text was updated successfully, but these errors were encountered: