Tomcat SSL Fingerprinting
I ran into this a few weeks ago and I thought it was just so silly I had to post it. If you telnet to an SSL/TLS enabled port and type in “GET / HTTP/1.0″ and hit enter it immediately responds with this rather poorly thought out error message:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
The irony is that it’s saying that it doesn’t know what I’m saying, even though it clearly does know what I’m saying since it tells me what I’m doing wrong. Pretty stupid error messaging and pretty easy to use to fingerprint the web server. Just thought it was funny enough to pass along.
October 5th, 2008 at 4:32 pm
For security, not so good.
But for usability? This can be great. Especially when dealing with people who don’t understand that there is difference between HTTP and HTTPS, especially when using non-standard ports.
October 5th, 2008 at 6:23 pm
Well, you can deny that’s quite ironic
If you’re going to say what’s wrong with the request there’s no point in saying that the server didn’t understand such request.
As far as usable, I don’t necessarily agree because the error state -you’re speaking plain http- and -use https scheme-, so if an user got that error because didn’t understand the difference between http and https, things like “speaking plain http” or “https scheme” will make no sense to such user, it will be more usable in that case to say “use https:// instead of http:// in the url to access this resource”
Anyway, you can’t always get something as usefull like the 503 of apache saying “the server made a boo boo”
October 5th, 2008 at 6:43 pm
It has nothing to do with Tomcat specifically; All Apache servers I’ve played with do this.
October 6th, 2008 at 7:29 am
@kuza55 - that’s not my experience (I realize this isn’t Apache’s website, but apache.org doesn’t have SSL enabled):
[~] telnet www.apache.com 443
Trying 97.74.11.177…
Connected to www.apache.com.
Escape character is ‘^]’.
GET / HTTP/1.0
Host: www.apache.com
HTTP/1.1 200 OK
Date: Mon, 06 Oct 2008 14:21:40 GMT
Server: Apache
Connection: close
Content-Type: text/html
-snip- … not the same error … -snip-
I also tried it on phpfreaks.com and several others. Maybe it’s only certain versions of Apache…?
October 6th, 2008 at 8:02 am
I just got this from a fedora/apache server:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
And from a Centos/cPanel Apache server:
Your browser sent a request that this server could not understand:
It looks like it’s just some stock apache installations that do it.
October 6th, 2008 at 8:05 am
Sorry, my HTML got filtered out.
From Fedora:
October 6th, 2008 at 12:22 pm
I think that’s the standard Apache 2.x response.. not tomcat..
October 6th, 2008 at 3:59 pm
@RSnake:
Hmmm, my bad, maybe I just haven’t played with enough https servers…
October 8th, 2008 at 3:12 pm
Hah, that’s funny.