Software, technology, sysadmin war stories, and more. Feed
Friday, February 10, 2012

RFC 2817 vs. clueless filtering regimes

Recent news stories about countries blocking HTTPS traffic by filtering port 443 got me digging into RFCs. I remembered some idea from some years back about recycling existing HTTP connections to jump into other protocols. Sure enough, there's a workaround, but as always, the specs are way ahead of actual support.

RFC 2817 talks about first establishing a HTTP/1.1 connection and then "upgrading" to TLS inside of that. If the filtering agent is relatively limited in its abilities and only focusing on port 443, then this might allow encrypted traffic to slip by.

Sure, you could just run https on another port, but then that starts the whole cat-and-mouse game as things jump around. Going to an upgrade scheme forces them to actively start inspecting traffic at a much deeper level to figure out just what's going on in there.

An interesting part about this is that Apache's mod_ssl actually supports "SSLEngine optional" from 2.1 on to allow RFC 2817 upgrades. Of course, this is of limited use when Firefox and Chrome clearly don't support it. I assume that Safari, IE, Opera, and all the others are in the same boat.

It almost looks like the original interest in possibly using RFC 2817 came from being able to use the Host: header and thus circumvent the whole "one SSL site per IP+port combo" situation. Of course, that always felt like a hack, and then SNI came along and set everything straight.

SNI helps address the real problem of running out of IP space when you have a bunch of secure web sites, but even it's taken a while to land. If Wikipedia is to be believed, iOS only got it in version 4 -- June 2010.

Given that relatively slow rate of adoption, hoping for much of anything with "upgrade to TLS" just seems foolish. It's just frustrating to see that I could support it as a web server operator but then find out that nobody would benefit from it.

Finally, if upgrade seems like it came up somewhere recently, it's because SPDY uses it. It's not exactly the same as POSTing something to a _mAgIc_UrL_ to switch modes, but it gets the job done.