[Mongrel] Mongrel HTTP Header Problem

Kris Leech krisleech at interkonect.com
Thu Oct 12 05:34:17 EDT 2006


Michael Parkin wrote:

>Hi,
>
>I've recently been trying to setup Mongrel behind Pound so that I can
>do mutual SSL authentication. I've had a few problems with Pound
>(documented at [1]), but now have it working correctly.
>
>However, I think there is a problem with Mongrel and how it deals with
>the headers Pound adds to the HTTP header block. One of the extra
>headers Pound adds is 'X-SSL-certificate' - the full multi-line client
>certificate in PEM format. As the certificate is spread over multiple
>lines like this:
>
>X-SSL-certificate: -----BEGIN CERTIFICATE-----
>	MIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx
>         ...
>        Yhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3
>	RA==
>	-----END CERTIFICATE-----
>  
>
Do you actually need to use the certificate down stream, if not and you 
just need to know the original request was SSL'd then pound should add 
X-FORWARD type header instead...

>...with a carriage return between each line Mongrel, it seems, cannot
>handle the line breaks in the header and with this header present
>returns an internal server error '500'.
>
>Looking at RFC 2616 it seems that whitespace such as this _is_ allowed
>in the header block. Section 4.2 says "Header fields can be extended
>over multiple lines by preceding each extra line with at least one SP
>or HT" - which is exactly what Pound does. Therefore, I think the
>problem may be with Mongrel.
>
>I've tested this by doing the following:
>
>1) Sniffed the whole HTTP message sent from Pound -> Mongrel using
>tcpmon. (Fails - returns 'internal server error' / 500).
>
>2) Replaying the message into Mongrel directly using telnet, cutting
>out the X-SSL-certificate header. Mongrel responds correctly (200).
>
>3) Added in my own arbitary header with a carriage return in it.
>Mongrel again returns 500.
>
>I turned on debugging with the '-B' option hoping there would be
>something in the log files, but they're empty.
>
>Can anyone else confirm that caarriage returns in HTTP headers is a
>problem for Mongrel?
>
>Many thanks,
>
>Michael.
>
>[1] http://www.apsis.ch/pound/pound_list/archive/2006/2006-10/1159900707000
>_______________________________________________
>Mongrel-users mailing list
>Mongrel-users at rubyforge.org
>http://rubyforge.org/mailman/listinfo/mongrel-users
>
>
>
>  
>




More information about the Mongrel-users mailing list