Cenzic 232 Patent
Paid Advertising
web application security lab

Tomcat SSL Fingerprinting

I ran into this a few weeks ago and I thought it was just so silly I had to post it. If you telnet to an SSL/TLS enabled port and type in “GET / HTTP/1.0″ and hit enter it immediately responds with this rather poorly thought out error message:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />

The irony is that it’s saying that it doesn’t know what I’m saying, even though it clearly does know what I’m saying since it tells me what I’m doing wrong. Pretty stupid error messaging and pretty easy to use to fingerprint the web server. Just thought it was funny enough to pass along.

10 Responses to “Tomcat SSL Fingerprinting”

  1. Dan Weber Says:

    For security, not so good.

    But for usability? This can be great. Especially when dealing with people who don’t understand that there is difference between HTTP and HTTPS, especially when using non-standard ports.

  2. LKP Says:

    Well, you can deny that’s quite ironic :)

    If you’re going to say what’s wrong with the request there’s no point in saying that the server didn’t understand such request.

    As far as usable, I don’t necessarily agree because the error state -you’re speaking plain http- and -use https scheme-, so if an user got that error because didn’t understand the difference between http and https, things like “speaking plain http” or “https scheme” will make no sense to such user, it will be more usable in that case to say “use https:// instead of http:// in the url to access this resource”

    Anyway, you can’t always get something as usefull like the 503 of apache saying “the server made a boo boo”

    :)

  3. kuza55 Says:

    It has nothing to do with Tomcat specifically; All Apache servers I’ve played with do this.

  4. RSnake Says:

    @kuza55 - that’s not my experience (I realize this isn’t Apache’s website, but apache.org doesn’t have SSL enabled):

    [~] telnet www.apache.com 443
    Trying 97.74.11.177…
    Connected to www.apache.com.
    Escape character is ‘^]’.
    GET / HTTP/1.0
    Host: www.apache.com

    HTTP/1.1 200 OK
    Date: Mon, 06 Oct 2008 14:21:40 GMT
    Server: Apache
    Connection: close
    Content-Type: text/html

    -snip- … not the same error … -snip-

    I also tried it on phpfreaks.com and several others. Maybe it’s only certain versions of Apache…?

  5. mckt Says:

    I just got this from a fedora/apache server:

    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You’re speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.

    And from a Centos/cPanel Apache server:

    Your browser sent a request that this server could not understand:

    (none)/ (port 443)

    It looks like it’s just some stock apache installations that do it.

  6. mckt Says:

    Sorry, my HTML got filtered out.

    From Fedora:

    <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
    <html><head>
    <title>400 Bad Request</title>
    </head><body>
    <h1>Bad Request</h1>
    <p>Your browser sent a request that this server could not understand.<br />
    Reason: You’re speaking plain HTTP to an SSL-enabled server port.<br />
    Instead use the HTTPS scheme to access this URL, please.<br />

  7. thrill Says:

    I think that’s the standard Apache 2.x response.. not tomcat.. :)

  8. kuza55 Says:

    @RSnake:

    Hmmm, my bad, maybe I just haven’t played with enough https servers…

  9. spearfish Says:

    Hah, that’s funny.

  10. MustLive Says:

    RSnake

    In my article Fingerprinting of Apache web server (http://websecurity.com.ua/3725/) I wrote about my method of fingerprinting of Apache. Which I developed in 2006.

    Also this method can be used for searching for hidden information at the servers.