[openssl-users] HTTP / HTTPS on same port

Jakob Bohm jb-openssl at wisemo.com
Sat Apr 4 05:30:52 UTC 2015

On 03/04/2015 22:12, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Salz, Rich
>> Sent: Friday, April 03, 2015 15:55
>> To: openssl-users at openssl.org
>> Subject: Re: [openssl-users] HTTP / HTTPS on same port
>> It is a hack.
> That's debatable. What's so sacred about separating traffic by port? Valid TLS traffic and valid plaintext HTTP traffic are distinguishable - there aren't any ambiguous cases.
>>   Most people do it the other way and look for a G or P as the first letter.
> Now *that* is a hack. And wrong, and broken. Looking at the first few bytes to see if they're 1) ASCII uppercase letters and 2) form the prefix of a valid HTTP command would be satisfactory.
Actually, I would code any HTTP request parser to accept
lower case,even if I would code request generators to
issue the standard request keywordsin uppercase only
(as required by the spec).  Basic Postel principle
in action, really.

Additionally the HTTP/1.1 spec (RFC2616) explicitly
allows future method namesto contain any US-ASCII
char except control chars (0x00..0x1F), space (0x20)
and the following separators: "()<>@,;:\\\"/[]?={}",
see RFC2616 section 5.1.1 which references the
definitions of token and CHAR in section 2.2.
In the updated HTTP/1.1 spec (RFC7230 et.seq.),
the equivalent rules are in RFC7230 section 3.1.1
with token and tchar defined in section 3.2.6 .

Another possibility for HTTP and HTTPS on the same
port is to implement RFC2817, which specifies a way
to use a HTTP request to switch a connection to HTTPS.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list