mod_dumpio/forensic log and the quest for the lost bytes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello List,

I'm running an Apache on SSL with PFS and suspect, that there is something
hidden in a SSL request we are receiving because Apache does not respond
with the usual 404 (not found) but 400 (bad request) and I have no
explanation why.

To track down the strange request, I tried forensic logging and dumpio, but
found that some bytes are not logged both ways.

Does someone know a way to make apache log the zero byte (\0), followed by
200 zero-digits created by following requests? The following headers are
received, used and logged by Apache, just the part after \0 is missing.

(python -c 'import os; os.write(1, "GET / HTTP/1.1\x00%0200d\nHost:
[YOUR-HOSTNAME-HERE]\n\n" % (0))'; sleep 1) | socat - OPENSSL:
YOUR-HOSTNAME-HERE:443,verify=0 | xxd

This should have been the 225 bytes of the first line, I'm interested in:
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): 225 bytes
And here only few bytes are logged:
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): GET / HTTP/1.1
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): 39 bytes
Sep  9 09:33:04 YOUR-HOSTNAME-HERE apache: default:443: [Tue Sep 09 09:33:04
2014] [notice] mod_dumpio:  dumpio_in (data-TRANSIENT): Host:
YOUR-HOSTNAME-HERE \n

I do not want to reconfig apache and put an own custom SSL decrypt/reencrypt
before it to avoid subtle changes in SSL handshake to cause problems with
software in the field.

Thanks,
Roman


DI Roman Fiedler
Scientist
Safety & Security Department
Assistive Healthcare Information Technology

AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1  |  8020 Graz  |  Austria
T +43(0) 50550 2957  |  M +43(0) 664 8561599  |  F +43(0) 50550 2950
roman.fiedler@xxxxxxxxx | http://www.ait.ac.at/

FN: 115980 i HG Wien  |  UID: ATU14703506
http://www.ait.ac.at/Email-Disclaimer

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux