Tuesday, March 24, 2009

Regarding encryption ...

Not encryption in general, but one very specific instance of it: Apache SSL on my Ubuntu/8.10 box.

Ubuntu ships with two SSL modules available -- the canonical, OpenSSL-based Apache mod_ssl, and the newer mod_gnults (pronounced "noodles?"). I decided to try mod_gnutls for no good reason, and it seemed to work -- I could serve content via an encrypted connection! Except for the silent redirects. I'd point my browser to /, get redirected to my SSL login page as expected ... and then wind up on the login page over vanilla HTTP.

In situations like this, HttpFox is your friend. As are netcat and OpenSSL itself, which, if you'll pardon the tangent, has it's own netcat-like behavior indispensable for debugging encrypted network services:
   openssl s_client -connect myserver.com:443
Via openssl, here's the offending HTTP transaction:
GET /ri/account/login?next=/ri/ HTTP/1.1
Host: myserver.com

HTTP/1.1 301 Moved Permanently
Date: Tue, 24 Mar 2009 15:26:47 GMT
Server: Apache/2.2.9 (Ubuntu) DAV/2 mod_gnutls/0.5.1 PHP/5.2.6-2ubuntu4 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2
Content-Type: text/html; charset=utf-8
Location: http://myserver.com/ri/account/login/?next=/ri/
Vary: Accept-Encoding
Content-Length: 0
I ask, over HTTPS, for the login page, and it redirects me back to the unencrypted version. And I never quite figured it out, either -- I just switched to mod_ssl and the problem went away.

I can't even say this is a GNUtls bug, but it's certainly some strange behavior.

No comments: