[Mongrel] Mongrel HTTP Header Problem

Zed A. Shaw zedshaw at zedshaw.com
Wed Oct 11 20:17:25 EDT 2006


On Wed, 11 Oct 2006 16:06:34 +0100
"Michael Parkin" <michaelparkin at gmail.com> wrote:

> Hi,
> 
> I've recently been trying to setup Mongrel behind Pound so that I can
> do mutual SSL authentication. I've had a few problems with Pound
> (documented at [1]), but now have it working correctly.
>

So with Pound...
 
> However, I think there is a problem with Mongrel and how it deals with
> the headers Pound adds to the HTTP header block. One of the extra
> headers Pound adds is 'X-SSL-certificate' - the full multi-line client
> certificate in PEM format. As the certificate is spread over multiple
> lines like this:
> 
> X-SSL-certificate: -----BEGIN CERTIFICATE-----
> 	MIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx
>          ...
>         Yhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3
> 	RA==
> 	-----END CERTIFICATE-----
> 

You have some need to send the client's certificate in a bizarre header?  Ok, before I go about answer your question you should probably explain what it is you're trying to do with this.  There might be a simpler way.

> ...with a carriage return between each line Mongrel, it seems, cannot
> handle the line breaks in the header and with this header present
> returns an internal server error '500'.
> 
> Looking at RFC 2616 it seems that whitespace such as this _is_ allowed
> in the header block. Section 4.2 says "Header fields can be extended
> over multiple lines by preceding each extra line with at least one SP
> or HT" - which is exactly what Pound does. Therefore, I think the
> problem may be with Mongrel.
>

That is a horrible bastardization of the RFC and I'd consider it an abuse of the headers, especially since only Pound does this out of *all* the HTTP clients people have used.  I'd almost tell them to screw off on principle (especially since they can encode this without the newlines).

But, let's look at the Mongrel grammar for headers:

  field_name = (token -- ":")+ >start_field %write_field;
  field_value = any* >start_value %write_value;
  message_header = field_name ":" " "* field_value :> CRLF;

Says right there field_value accepts "any*" and it's closed by a CRLF.  Probably just have to make the exit stronger so that it can include CR or LF but not both.

If you work up a test case that demonstrates it (preferably a patch to the mongrel tests) then I can fix it up.
 
> I've tested this by doing the following:
> 

One thing you didn't do is give me information from the mongrel.log.  There should have been BAD CLIENT information in there.  You also didn't turn on USR1 logging so that Mongrel dumps the whole request that caused BAD CLIENT errors.  If you do send in a test case then include this information too.


-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.


More information about the Mongrel-users mailing list