Hi!

I've come across the following:

1. Configure Apache (1.3.33 in this case) to listen with SSL on some
port (say 8100).

2. Protect it with mod_auth.

3. Connect to the port with a Web Browser using http:// (not https://!)
http://ssl.example.com:8100/

You get the following in error.log:

[Fri Jun 3 14:47:46 2005] [error] mod_ssl: SSL handshake failed: HTTP
spoken on HTTPS port; trying to send HTML error page...

What Apache actually sends though, is a "401 Authorization Required", so
you also get the authentication dialog in the web browser.

If you now fill in your Credentials and click the "OK" button your username
and password is sent to the server in the clear.

The problem with this is, that the user has no actual feedback that he
has entered a wrong URL and that the connection to the server is not
actually encrypted.

An immidiate fix is to SSLRequireSSL, which has the problem that the
user does not get the helpful 400 error with the correct link.

(I worked around this by using ErrorDocument to redirect the user
immediatly to the correct URL... ugly hack, I think.)

Is there some (easy) way around this problem that I have not found? Is
this even something mod_ssl can influence or must this be fixed in
mod_auth?

thanks!
Christoph Schindler


__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org