Mongrel users - Oct 2006 - Mongrel HTTP Header Problem

Hi,

I''ve recently been trying to setup Mongrel behind Pound so that I can
do mutual SSL authentication. I''ve had a few problems with Pound
(documented at [1]), but now have it working correctly.

However, I think there is a problem with Mongrel and how it deals with
the headers Pound adds to the HTTP header block. One of the extra
headers Pound adds is ''X-SSL-certificate'' - the full
multi-line client
certificate in PEM format. As the certificate is spread over multiple
lines like this:

X-SSL-certificate: -----BEGIN CERTIFICATE-----
	MIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx
         ...
        Yhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3
	RA=	-----END CERTIFICATE-----

...with a carriage return between each line Mongrel, it seems, cannot
handle the line breaks in the header and with this header present
returns an internal server error ''500''.

Looking at RFC 2616 it seems that whitespace such as this _is_ allowed
in the header block. Section 4.2 says "Header fields can be extended
over multiple lines by preceding each extra line with at least one SP
or HT" - which is exactly what Pound does. Therefore, I think the
problem may be with Mongrel.

I''ve tested this by doing the following:

1) Sniffed the whole HTTP message sent from Pound -> Mongrel using
tcpmon. (Fails - returns ''internal server error'' / 500).

2) Replaying the message into Mongrel directly using telnet, cutting
out the X-SSL-certificate header. Mongrel responds correctly (200).

3) Added in my own arbitary header with a carriage return in it.
Mongrel again returns 500.

I turned on debugging with the ''-B'' option hoping there would
be
something in the log files, but they''re empty.

Can anyone else confirm that caarriage returns in HTTP headers is a
problem for Mongrel?

Many thanks,

Michael.

[1] http://www.apsis.ch/pound/pound_list/archive/2006/2006-10/1159900707000

On Wed, 11 Oct 2006 16:06:34 +0100
"Michael Parkin" <michaelparkin at gmail.com> wrote:
> Hi,
> 
> I''ve recently been trying to setup Mongrel behind Pound so that I
can
> do mutual SSL authentication. I''ve had a few problems with Pound
> (documented at [1]), but now have it working correctly.
>
So with Pound...
 
> However, I think there is a problem with Mongrel and how it deals with
> the headers Pound adds to the HTTP header block. One of the extra
> headers Pound adds is ''X-SSL-certificate'' - the full
multi-line client
> certificate in PEM format. As the certificate is spread over multiple
> lines like this:
> 
> X-SSL-certificate: -----BEGIN CERTIFICATE-----
> 	MIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx
>          ...
>         Yhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3
> 	RA=> 	-----END CERTIFICATE-----
> 
You have some need to send the client''s certificate in a bizarre
header?  Ok, before I go about answer your question you should probably explain
what it is you''re trying to do with this.  There might be a simpler
way.
> ...with a carriage return between each line Mongrel, it seems, cannot
> handle the line breaks in the header and with this header present
> returns an internal server error ''500''.
> 
> Looking at RFC 2616 it seems that whitespace such as this _is_ allowed
> in the header block. Section 4.2 says "Header fields can be extended
> over multiple lines by preceding each extra line with at least one SP
> or HT" - which is exactly what Pound does. Therefore, I think the
> problem may be with Mongrel.
>
That is a horrible bastardization of the RFC and I''d consider it an
abuse of the headers, especially since only Pound does this out of *all* the
HTTP clients people have used.  I''d almost tell them to screw off on
principle (especially since they can encode this without the newlines).

But, let''s look at the Mongrel grammar for headers:

  field_name = (token -- ":")+ >start_field %write_field;
  field_value = any* >start_value %write_value;
  message_header = field_name ":" " "* field_value :>
CRLF;

Says right there field_value accepts "any*" and it''s closed
by a CRLF.  Probably just have to make the exit stronger so that it can include
CR or LF but not both.

If you work up a test case that demonstrates it (preferably a patch to the
mongrel tests) then I can fix it up.
 
> I''ve tested this by doing the following:
> 
One thing you didn''t do is give me information from the mongrel.log. 
There should have been BAD CLIENT information in there.  You also
didn''t turn on USR1 logging so that Mongrel dumps the whole request
that caused BAD CLIENT errors.  If you do send in a test case then include this
information too.


-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.

Hi,

On Mit 11.10.2006 17:17, Zed A. Shaw wrote:
>On Wed, 11 Oct 2006 16:06:34 +0100
>"Michael Parkin" <michaelparkin at gmail.com> wrote:
>
>> ...with a carriage return between each line Mongrel, it seems, cannot
>> handle the line breaks in the header and with this header present
>> returns an internal server error ''500''.
>> 
>> Looking at RFC 2616 it seems that whitespace such as this _is_
>> allowed in the header block. Section 4.2 says "Header fields can
be
>> extended over multiple lines by preceding each extra line with at
>> least one SP or HT" - which is exactly what Pound does. Therefore,
I
>> think the problem may be with Mongrel.
>
>That is a horrible bastardization of the RFC and I''d consider it an
>abuse of the headers, especially since only Pound does this out of
>*all* the HTTP clients people have used.  I''d almost tell them to
screw
>off on principle (especially since they can encode this without the
>newlines).
Let''s look at http://www.and.org/texts/server-http, I think
it''s a nice
conclusion of the rfc.

Regards

Aleks

Michael Parkin wrote:
>Hi,
>
>I''ve recently been trying to setup Mongrel behind Pound so that I
can
>do mutual SSL authentication. I''ve had a few problems with Pound
>(documented at [1]), but now have it working correctly.
>
>However, I think there is a problem with Mongrel and how it deals with
>the headers Pound adds to the HTTP header block. One of the extra
>headers Pound adds is ''X-SSL-certificate'' - the full
multi-line client
>certificate in PEM format. As the certificate is spread over multiple
>lines like this:
>
>X-SSL-certificate: -----BEGIN CERTIFICATE-----
>	MIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx
>         ...
>        Yhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3
>	RA=>	-----END CERTIFICATE-----
>  
>
Do you actually need to use the certificate down stream, if not and you 
just need to know the original request was SSL''d then pound should add 
X-FORWARD type header instead...
>...with a carriage return between each line Mongrel, it seems, cannot
>handle the line breaks in the header and with this header present
>returns an internal server error ''500''.
>
>Looking at RFC 2616 it seems that whitespace such as this _is_ allowed
>in the header block. Section 4.2 says "Header fields can be extended
>over multiple lines by preceding each extra line with at least one SP
>or HT" - which is exactly what Pound does. Therefore, I think the
>problem may be with Mongrel.
>
>I''ve tested this by doing the following:
>
>1) Sniffed the whole HTTP message sent from Pound -> Mongrel using
>tcpmon. (Fails - returns ''internal server error'' / 500).
>
>2) Replaying the message into Mongrel directly using telnet, cutting
>out the X-SSL-certificate header. Mongrel responds correctly (200).
>
>3) Added in my own arbitary header with a carriage return in it.
>Mongrel again returns 500.
>
>I turned on debugging with the ''-B'' option hoping there
would be
>something in the log files, but they''re empty.
>
>Can anyone else confirm that caarriage returns in HTTP headers is a
>problem for Mongrel?
>
>Many thanks,
>
>Michael.
>
>[1] http://www.apsis.ch/pound/pound_list/archive/2006/2006-10/1159900707000
>_______________________________________________
>Mongrel-users mailing list
>Mongrel-users at rubyforge.org
>http://rubyforge.org/mailman/listinfo/mongrel-users
>
>
>
>  
>

Hi Zed,

Thanks for the reply. I''m new to Ruby, Mongrel, Rails, etc. So please
bear with me...

On 10/12/06, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
> You have some need to send the client''s certificate in a bizarre
header?  Ok, before I go about answer your question you should probably explain
what it is you''re trying to do with this.  There might be a simpler
way.
Actually, no - I don''t have any use for this header that Pound sends
Mongrel. But, AFAIK there''s no way to remove it from the headers Pound
sends (ok, I could go in an hack Pound''s source, but I want to have
standard code on my boxes...)
> If you work up a test case that demonstrates it (preferably a patch to the
mongrel tests) then I can fix it up.
ok, as I''ve said I''m new to Ruby and I''m using
developing this
application as a way to learn. This may take some time!
> One thing you didn''t do is give me information from the
mongrel.log.  There should have been BAD CLIENT information in there.
There''s nothing in mongrel.log apart from the standard startup blurb.
I.e:

** Daemonized, any open files are closed.  Look at log/mongrel.pid and
log/mongrel.log for info.
** Starting Mongrel listening at 127.0.0.1:3000
...
** Writing PID file to log/mongrel.pid
> You also didn''t turn on USR1 logging so that Mongrel dumps the
whole request that caused BAD CLIENT errors.  If you do send in a test case then
include this information too.
Thanks for the USR1 tip: when I turn on USR1 I get the output at the
bottom of the email. Is it the \r\n\t''s in the
"X-SSL-certificate"
header that''s the problem here?

Thanks again,

Michael.

** USR1 received, toggling $mongrel_debug_client to true
Thu Oct 12 11:04:48 +0100 2006: BAD CLIENT (127.0.0.1): Invalid HTTP
format, parsing fails.
Thu Oct 12 11:04:48 +0100 2006: REQUEST DATA: "GET /
HTTP/1.1\r\nUser-Agent: curl/7.13.1 (powerpc-apple-darwin8.0)
libcurl/7.13.1 OpenSSL/0.9.7i zlib/1.2.3\r\nHost:
127.0.0.1:3001\r\nPragma: no-cache\r\nAccept:
*/*\r\nX-Forwarded-Proto: https\r\nX-SSL-Subject:         C = xx, O xx, OU = xx,
L = xx, CN = michael parkin\r\nX-SSL-Issuer:         C UK, O = eScience, OU =
Authority, CN = CA, emailAddress ca-operator at
grid-support.ac.uk\r\nX-SSL-notBefore: Jun 19 12:10:30
2006 GMT\r\nX-SSL-notAfter: Jun 19 12:10:30 2007 GMT\r\nX-SSL-serial:
8061\r\nX-SSL-certificate: -----BEGIN
CERTIFICATE-----\r\n\tMIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx\r\n\tETAPBgNVBAoTCGVTY2llbmNlMRIwEAYDVQQLEwlBdXRob3JpdHkxCzAJBgNVBAMT\r\n\tAkNBMS0wKwYJKoZIhvcNAQkBFh5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMu\r\n\tdWswHhcNMDYwNzI3MTQxMzI4WhcNMDcwNzI3MTQxMzI4WjBbMQswCQYDVQQGEwJV\r\n\tSzERMA8GA1UEChMIZVNjaWVuY2UxEzARBgNVBAsTCk1hbmNoZXN0ZXIxCzAJBgNV\r\n\tBAcTmrsogriqMWLAk1DMRcwFQYDVQQDEw5taWNoYWVsIHBhcmQYJKoZIhvcNAQEB\r\n\tBQADggEPADCCAQoCggEBANPEQBgl1IaKdSS1TbhF3hEXSl72G9J+WC/1R64fAcEF\r\n\tW51rEyFYiIeZGx/BVzwXbeBoNUK41OK65sxGuflMo5gLflbwJtHBRIEKAfVVp3YR\r\n\tgW7cMA/s/XKgL1GEC7rQw8lIZT8RApukCGqOVHSi/F1SiFlPDxuDfmdiNzL31+sL\r\n\t0iwHDdNkGjy5pyBSB8Y79dsSJtCW/iaLB0/n8Sj7HgvvZJ7x0fr+RQjYOUUfrePP\r\n\tu2MSpFyf+9BbC/aXgaZuiCvSR+8Snv3xApQY+fULK/xY8h8Ua51iXoQ5jrgu2SqR\r\n\twgA7BUi3G8LFzMBl8FRCDYGUDy7M6QaHXx1ZWIPWNKsCAwEAAaOCAiQwggIgMAwG\r\n\tA1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwID6DAs\r\n\tBglghkgBhvhCAQ0EHxYdVUsgZS1TY2llbmNlIFVzZXIgQ2VydGlmaWNhdGUwHQYD\r\n\tVR0OBBYEFDTt/sf9PeMaZDHkUIldrDYMNTBZMIGaBgNVHSMEgZIwgY+AFAI4qxGj\r\n\tloCLDdMVKwiljjDastqooXSkcjBwMQswCQYDVQQGEwJVSzERMA8GA1UEChMIZVNj\r\n\taWVuY2UxEjAQBgNVBAsTCUF1dGhvcml0eTELMAkGA1UEAxMCQ0ExLTArBgkqhkiG\r\n\t9w0BCQEWHmNhLW9wZXJhdG9yQGdyaWQtc3VwcG9ydC5hYy51a4IBADApBgNVHRIE\r\n\tIjAggR5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMudWswGQYDVR0gBBIwEDAO\r\n\tBgwrBgEEAdkvAQEBAQYwPQYJYIZIAYb4QgEEBDAWLmh0dHA6Ly9jYS5ncmlkLXN1\r\n\tcHBvcnQuYWMudmT4sopwqlBWsvcHViL2NybC9jYWNybC5jcmwwPQYJYIZIAYb4QgEDBDAWLmh0\r\n\tdHA6Ly9jYS5ncmlkLXN1cHBvcnQuYWMudWsvcHViL2NybC9jYWNybC5jcmwwPwYD\r\n\tVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NhLmdyaWQt5hYy51ay9wdWIv\r\n\tY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAS/U4iiooBENGW/Hwmmd3\r\n\tXCy6Zrt08YjKCzGNjorT98g8uGsqYjSxv/hmi0qlnlHs+k/3Iobc3LjS5AMYr5L8\r\n\tUO7OSkgFFlLHQyC9JzPfmLCAugvzEbyv4Olnsr8hbxF1MbKZoQxUZtMVu29wjfXk\r\n\thTeApBv7eaKCWpSp7MCbvgzm74izKhu3vlDk9w6qVrxePfGgpKPqfHiOoGhFnbTK\r\n\twTC6o2xq5y0qZ03JonF7OJspEd3I5zKY3E+ov7/ZhW6DqT8UFvsAdjvQbXyhV8Eu\r\n\tYhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3\r\n\tRA==\r\n\t-----END
CERTIFICATE-----\r\nX-SSL-cipher: AES256-SHA              SSLv3 Kx=RSA
     Au=RSA  Enc=AES(256)  Mac=SHA1\r\nX-Forwarded-For:
xxx.xxx.xxx.xxx\r\n\r\n"
---
PARAMS: {"HTTP_X_SSL_NOTBEFORE"=>"Jun 19 12:10:30 2006
GMT",
"HTTP_USER_AGENT"=>"curl/7.13.1 (powerpc-apple-darwin8.0)
libcurl/7.13.1 OpenSSL/0.9.7i zlib/1.2.3",
"HTTP_HOST"=>"127.0.0.1:3001",
"HTTP_X_SSL_ISSUER"=>"C = UK, O eScience, OU = Authority, CN =
CA, emailAddress ca-operator at grid-support.ac.uk",
"REQUEST_PATH"=>"/",
"HTTP_VERSION"=>"HTTP/1.1",
"HTTP_X_SSL_CERTIFICATE"=>"-----BEGIN
CERTIFICATE-----", "REQUEST_URI"=>"/",
"HTTP_X_SSL_NOTAFTER"=>"Jun 19
12:10:30 2007 GMT",
"HTTP_X_FORWARDED_PROTO"=>"https",
"HTTP_PRAGMA"=>"no-cache",
"HTTP_X_SSL_SERIAL"=>"8071",
"HTTP_X_SSL_SUBJECT"=>"C = xx, O = xx, OU = xx, L = xx, CN =
michael
parkin", "HTTP_ACCEPT"=>"*/*",
"REQUEST_METHOD"=>"GET"}

Hi Kris,

On 10/12/06, Kris Leech <krisleech at interkonect.com> wrote:
> Do you actually need to use the certificate down stream, if not and you
> just need to know the original request was SSL''d then pound should
add
> X-FORWARD type header instead...
Actually, no I don''t need the certificate downstream, but I do need
the other SSL information Pound sends (like the X-SSL-Subject, for
instance).

I haven''t figured out how to remove just the X-SSL-certificate header
- any ideas?

Thanks,

Michael.

On Thu, 12 Oct 2006 09:51:00 +0200
Aleksandar Lazic <al-mongrelusers at none.at> wrote:
> Hi,
> 
> On Mit 11.10.2006 17:17, Zed A. Shaw wrote:
> >On Wed, 11 Oct 2006 16:06:34 +0100
> >"Michael Parkin" <michaelparkin at gmail.com> wrote:
> >
> >> ...with a carriage return between each line Mongrel, it seems,
cannot
> >> handle the line breaks in the header and with this header present
> >> returns an internal server error ''500''.
> >> 
> >> Looking at RFC 2616 it seems that whitespace such as this _is_
> >> allowed in the header block. Section 4.2 says "Header fields
can be
> >> extended over multiple lines by preceding each extra line with at
> >> least one SP or HT" - which is exactly what Pound does.
Therefore, I
> >> think the problem may be with Mongrel.
> >
> >That is a horrible bastardization of the RFC and I''d consider
it an
> >abuse of the headers, especially since only Pound does this out of
> >*all* the HTTP clients people have used.  I''d almost tell them
to screw
> >off on principle (especially since they can encode this without the
> >newlines).
> 
> Let''s look at http://www.and.org/texts/server-http, I think
it''s a nice
> conclusion of the rfc.
> 
Yeah, too bad guys like me who don''t have the baking of 400 such
billion dollar companies get any say in these things.  As I''ve said
millions of times before, just because the damn RFC says it''s allowed
doesn''t mean people should be allowed to do it.  Just nasty.

Then again, I also said that it''s a simple fix as long as I have a good
test case.

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.

On Thu, 12 Oct 2006 11:18:37 +0100
"Michael Parkin" <michaelparkin at gmail.com> wrote:
> Hi Zed,
> 
> Thanks for the reply. I''m new to Ruby, Mongrel, Rails, etc. So
please
> bear with me...
> 
> On 10/12/06, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
> 
> > You have some need to send the client''s certificate in a
bizarre header?  Ok, before I go about answer your question you should probably
explain what it is you''re trying to do with this.  There might be a
simpler way.
> 
> Actually, no - I don''t have any use for this header that Pound
sends
> Mongrel. But, AFAIK there''s no way to remove it from the headers
Pound
> sends (ok, I could go in an hack Pound''s source, but I want to
have
> standard code on my boxes...)
>
No, there''s gotta be a way to turn that off.  If pound always sent this
then people using pound would have yelled at me sooner.  I''d have
noticed it too since I test under pound.  You''ve got a config telling
pound to do this.
 
> 
> Thanks for the USR1 tip: when I turn on USR1 I get the output at the
> bottom of the email. Is it the \r\n\t''s in the
"X-SSL-certificate"
> header that''s the problem here?
Ok, I can put this in a test as a raw send.  Thanks I''ll let you know
when I toss this fix in.

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.