On 03/04/2015 22:12, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf >> Of Salz, Rich >> Sent: Friday, April 03, 2015 15:55 >> To: openssl-users at openssl.org >> Subject: Re: [openssl-users] HTTP / HTTPS on same port >> >> It is a hack. > That's debatable. What's so sacred about separating traffic by port? Valid TLS traffic and valid plaintext HTTP traffic are distinguishable - there aren't any ambiguous cases. > >> Most people do it the other way and look for a G or P as the first letter. > Now *that* is a hack. And wrong, and broken. Looking at the first few bytes to see if they're 1) ASCII uppercase letters and 2) form the prefix of a valid HTTP command would be satisfactory. > Actually, I would code any HTTP request parser to accept lower case,even if I would code request generators to issue the standard request keywordsin uppercase only (as required by the spec). Basic Postel principle in action, really. Additionally the HTTP/1.1 spec (RFC2616) explicitly allows future method namesto contain any US-ASCII char except control chars (0x00..0x1F), space (0x20) and the following separators: "()<>@,;:\\\"/[]?={}", see RFC2616 section 5.1.1 which references the definitions of token and CHAR in section 2.2. In the updated HTTP/1.1 spec (RFC7230 et.seq.), the equivalent rules are in RFC7230 section 3.1.1 with token and tchar defined in section 3.2.6 . Another possibility for HTTP and HTTPS on the same port is to implement RFC2817, which specifies a way to use a HTTP request to switch a connection to HTTPS. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
