Apache won't upgrade connection to TLS

http apache-2.2 ssl tls

I have written a IPP server in PHP running under Apache. With the standard IPP clients it works just fine. But when I try to print from an iOS device the connections breaks when the client tries to switch to TLS. This seems to be covered by RFC 2817 (Upgrading to TLS Within HTTP/1.1) and should be supported by Apache for years. What is wrong with my Apache config?

Apache SSL configuration:

SSLEngine optional
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key

Request:

OPTIONS * HTTP/1.1
Connection: Upgrade
Host: iserv.local
Upgrade: TLS/1.0,SSL/2.0,SSL/3.0
User-Agent: CUPS/1.5.0

Reply:

HTTP/1.1 200 OK
Server: Apache/2.2.16
Content-Length: 0
Content-Type: text/plain

Expected reply:

HTTP/1.1 101 Switching Protocol
Server: CUPS/1.4
Connection: Keep-Alive
Keep-Alive: timeout=30
Connection: Upgrade
Upgrade: TLS/1.0,HTTP/1.1
Content-Length: 0

As far as I'm aware, Apache Httpd has supported RFC 2817 since version 2.1.

To use it, you must use SSLEngine optional (instead of the more common SSLEngine on for HTTPS), as mentioned in the documentation.

EDIT (I hadn't realised you were already using SSLEngine optional):

It seems that this problem is specifically due to OPTIONS * HTTP/1.1. It will work when you send OPTIONS / HTTP/1.1 (or OPTIONS / HTTP/1.1) with the same upgrade headers.

After a bit more investigation, it seems that OPTIONS * simply doesn't work at all on recent versions of Apache Httpd (or at least it works differently).

If you try a Debian Etch (Apache Httpd 2.2.3), a simple OPTIONS * HTTP/1.1 (with a Host header) will give you a response with the Allow: GET,HEAD,POST,OPTIONS and Vary headers.

On a Debian Lenny (Apache Httpd 2.2.9, with a few extra backported security patches), and more recent versions, you won't get these Allow or Vary headers at all. You will get them with OPTIONS /.

I suspect something has changed in the way OPTIONS * was handled between these versions. (This may also have something to do with the problems mentioned in this thread.) This would certainly affect an RFC 2817 upgrade via OPTIONS *.

I would suggest asking on the Apache Httpd user or possibly dev list about this.

It sounds like it might be a bug. (Usage for OPTIONS * is quite rare, and so few clients support RFC 2817 that it might have simply have been unnoticed.)

Related

Varnish config rules to cache large MP3 and PDF files?
Reset DRAC to factory defaults
Squid causing websocket issues
How to upgrade module located inside initramfs?
Offline WSUS delta updates
Add static route through DHCP
Windows 2003 Terminal Server not responding after reboots
Speeding up Outlook Express on Windows XP over satellite
Ubuntu 12 crashed and took down network
How to use hardware acceleration with ffmpeg
Missed opportunity to fix JDBC date handling in Java 8?
What are the differences between lxml and ElementTree?