lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.53.0411121443380.28742@sequoia.daemon.be>
From: maarten at daemon.be (Maarten Van Horenbeeck)
Subject: Re: Web server http protocol version support

Hi Marc,

In RFC 2616, describing version 1.1 of the Hypertext Transfer Protocol, it
is described that the specification expects HTTP/1.1 servers to respond
appropriately with a message in "the same major version used by the
client".    However, this is not in compliance with another RFC, 2145,
which explicitly states that a server should send the highest version it
supports, but "may" send a lower version in case it is suspected that the
client may not handle the higher version correctly.

This means that an HTTP/0.9 request is usually responded to with an
HTTP/0.9 reply.  An HTTP/1.0 request can be responded to with either an
HTTP/1.0 or HTTP/1.1 reply.  This is done because in versions prior to
"major version" 1, no version numbers where used, which would make it
harder for a 0.9 version to identify the server side.

A while back I tested this on a number of web servers.  When sending an
HTTP/0.9 request to an Apache 1.3.31 or SunONE web server, I did in fact
receive an HTTP/0.9 reply.  These are easy to identify as they don't even
contain headers or a version number, just the pure html.  When I did the
same with an IIS 5 or 6, I received an HTTP/1.1 reply.  Both of these are
acceptable, but the Apache/SunONE response is technically "more correct",
as it avoids client interpretation problems.

I've used this quite often to identify a web server when the Server:
header has been obfuscated.  Used together with other items specific to
certain server types (encoding, default settings such as keepalive), this
is quite reliable.

Cheers,
Maarten

--
Maarten Van Horenbeeck, GCIA <maarten@...mon.be>
http://www.daemon.be/maarten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ