#1813 SSL mode generates bad error page over HTTP

1.160
closed
5
2004-10-26
2004-10-26
Jason Haar
No

Hi there

I've just noticed that if I connect to our
HTTPS-enabled Webmin server using HTTP instead of
HTTPS, I get an error page telling me to use the HTTPS
site. The HTTP headers look like this:

GET / HTTP/1.0
HTTP/1.0 200 Bad Request
Server: MiniServ/0.01
Date: Tue, 26 Oct 2004 00:19:50 GMT
Content-type: text/html
Connection: close

Well, that isn't quite correct is it? I mean -
shouldn't that be something other than HTTP 200? Like
either a 400 (Bad Request) or better yet - a 301 (Moved
Permanently) referencing the https URL.

The reason I found it was that I was running Nessus
against the box - and it HAMMERED port 10000 using HTTP
- trying to find broken/insecure web software/etc.
Obviously it can't get past that error page using HTTP.
Returning a 301 would have (probably) made Nessus turn
into HTTPS mode and allow it to continue with less
errors. Better for everyone :-)

Thanks!

Jason

Discussion

  • Jamie Cameron

    Jamie Cameron - 2004-10-26

    Logged In: YES
    user_id=129364

    The HTTP 200 is correct, because I want to display that
    message to the user. If you prefer Webmin to issue an
    automatic redirect, this can be done by adjusting the Webmin
    Configuration -> SSL Encryption -> Redirect non-SSL requests
    to SSL mode? setting. However, this is not 100% reliable,
    which is why it is not enabled by default ..

     
  • Jamie Cameron

    Jamie Cameron - 2004-10-26
    • status: open --> closed
     

Log in to post a comment.