Apache 2.2.17: HTTPS+CONNECT still broken

The scenario is: someone opens an SSL connection to the Apache server, authenticates himself, and requests access to another host/port via CONNECT command. This is good for secure connection via untrusted Internet to something inside the network.

Apache version 2.2.11 simply refused to do this, because “this is not defined in the RFC”. As of version 2.2.15 supports CONNECT in HTTPS, but… it sends connected traffic in the clear. You can see “Apache Proxy Agent bla-bla” right in the middle of the HTTPS session. Brilliant!

This, of course, does not work, since the connecting party expects everything to be encrypted. Had to throw out mod_proxy_connect and revert to old trusted patch. Bummer.

Leave a Reply

Your email address will not be published. Required fields are marked *