Apache won't upgrade connection to TLS
I have written a IPP server in PHP running under Apache. With the standard IPP clients it works just fine. But when I try to print from an iOS device the connections breaks when the client tries to switch to TLS. This seems to be covered by RFC 2817 (Upgrading to TLS Within HTTP/1.1) and should be supported by Apache for years. What is wrong with my Apache config?
Apache SSL configuration:
SSLEngine optional
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
Request:
OPTIONS * HTTP/1.1
Connection: Upgrade
Host: iserv.local
Upgrade: TLS/1.0,SSL/2.0,SSL/3.0
User-Agent: CUPS/1.5.0
Reply:
HTTP/1.1 200 OK
Server: Apache/2.2.16
Content-Length: 0
Content-Type: text/plain
Expected reply:
HTTP/1.1 101 Switching Protocol
Server: CUPS/1.4
Connection: Keep-Alive
Keep-Alive: timeout=30
Connection: Upgrade
Upgrade: TLS/1.0,HTTP/1.1
Content-Length: 0
As far as I'm aware, Apache Httpd has supported RFC 2817 since version 2.1.
To use it, you must use SSLEngine optional
(instead of the more common SSLEngine on
for HTTPS), as mentioned in the documentation.
EDIT (I hadn't realised you were already using SSLEngine optional
):
It seems that this problem is specifically due to OPTIONS * HTTP/1.1
. It will work when you send OPTIONS / HTTP/1.1
(or OPTIONS / HTTP/1.1
) with the same upgrade headers.
After a bit more investigation, it seems that OPTIONS *
simply doesn't work at all on recent versions of Apache Httpd (or at least it works differently).
If you try a Debian Etch (Apache Httpd 2.2.3), a simple OPTIONS * HTTP/1.1
(with a Host
header) will give you a response with the Allow: GET,HEAD,POST,OPTIONS
and Vary
headers.
On a Debian Lenny (Apache Httpd 2.2.9, with a few extra backported security patches), and more recent versions, you won't get these Allow
or Vary
headers at all. You will get them with OPTIONS /
.
I suspect something has changed in the way OPTIONS *
was handled between these versions. (This may also have something to do with the problems mentioned in this thread.) This would certainly affect an RFC 2817 upgrade via OPTIONS *
.
I would suggest asking on the Apache Httpd user or possibly dev list about this.
It sounds like it might be a bug. (Usage for OPTIONS *
is quite rare, and so few clients support RFC 2817 that it might have simply have been unnoticed.)