This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Here is the brief description of the issue

Working condition:

When client tried to use method CONNECT a.b.c.d:443 where host header is a.b.c.d:443 things went smooth.

Non-working condition:

When the same client tried to use method CONNECT a.b.c.d:443 where host header is just a.b.c.d(no port number) we are not seeing any further SSL communication.

Is it must to specify host header with port number when the connection is not to default(port 80)?

asked 15 Jul '13, 20:55

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 15 Jul '13, 21:36


CONNECT a.b.c.d:443

CONNECT is the HTTP method used when a client requests a HTTPS connection through a proxy (usually), although it can be used to tunnel other TCP connections through a HTTP proxy as well.

It's up to the client to tell the proxy what to do (CONNECT and possibly Host header). It's up to the proxy to accept or deny that request.

So, if the request with the port in the Host header works and the other request does not work, your proxy dislikes the later for whatever reason (configuration, product limitation).

I did some tests with curl and a proxy and my proxy does not care about the port number in the Host header, at least not for the standard ports.

curl adds the port number to the Host header, even for 'standard' https requests.

C:\tools\curl>curl -k  -v --proxy 172.16.200.1:8080 https://ask.wireshark.org 
* About to connect() to proxy 172.16.200.1 port 8080 (#0)
* Connected to 172.16.200.1 (172.16.200.1) port 8080 (#0)
* Establish HTTP proxy tunnel to ask.wireshark.org:443
> CONNECT ask.wireshark.org:443 HTTP/1.1
> Host: ask.wireshark.org:443
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2.5

Force a Host header without port.

C:\tools\curl>curl -k  -v -H "Host: ask.wireshark.org" --proxy 172.16.200.1:8080
* Connected to 172.16.200.1 (172.16.200.1) port 8080 (#0)
* Establish HTTP proxy tunnel to ask.wireshark.org:443
> CONNECT ask.wireshark.org:443 HTTP/1.1
> Host: ask.wireshark.org
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2.5

Result: Both requests were accepted by the proxy.

From RFC 2616:

   The Host field value MUST represent
   the naming authority of the origin server or gateway given by the
   original URL. This allows the origin server or gateway to
   differentiate between internally-ambiguous URLs, such as the root "/"
   URL of a server for multiple host names on a single IP address.

       Host = "Host" ":" host [ ":" port ] ; Section 3.2.2

   A "host" without any trailing port information implies the default
   port for the service requested (e.g., "80" for an HTTP URL).

I read this the following way: If the port in the URI/URL is different than the standard port (80,443), it must be added to the Host header as well. If it is the standard port, you 'can' add it, however it is not required.

Is it must to specify host header with port number when the connection is not to default(port 80)?

I don't think so, if it is one of the standard ports (80,443). However, you can add it without creating problems as long as the port is the same as in the CONNECT statement.

So, your problem is probably a matter of the proxy configuration or a matter of proxy functionality. Please ask the vendor of that software.

UPDATE

I just tried it with a sample host on the internet (the first I found with google). Both my proxy and the server do not complain, if I omit the port number in the Host header, even if it is not one of the 'standard ports'.

HINT: the output is partly anonymized

C:\tools\curl>curl -k  -v --proxy 172.16.200.1:8080 -H "Host: www.bbbb.org" https://www.bbbb.org:8000/
* About to connect() to proxy 172.16.200.1 port 8080 (#0)
*   Trying 172.16.200.1... connected
* Connected to 172.16.200.1 (172.16.200.1) port 8080 (#0)
* Establish HTTP proxy tunnel to www.bbbb.org:8000
> CONNECT www.bbbb.org:8000 HTTP/1.1
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2
.5
> Proxy-Connection: Keep-Alive
> Host: www.bbbb.org
>
< HTTP/1.1 200 Connection established
< Connection: Keep-Alive
<
* Proxy replied OK to CONNECT request
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*        subject: C=US; ST=OHIO; L=CLEVELAND; O=BBBBBBB; CN=www.bbbb.org
*        start date: 2013-05-09 00:00:00 GMT
*        expire date: 2015-07-02 23:59:59 GMT
*        subjectAltName: www.bbbb.org matched
*        issuer: C=US; O=Thawte, Inc.; CN=Thawte SGC CA - G2
*        SSL certificate verify result: self signed certificate in certificate c
hain (19), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2
.5
> Accept: */*
> Host: www.bbbb.org
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jul 2013 10:28:01 GMT
< Last-Modified: Sun, 09 Jun 2013 03:12:02 GMT
< ETag: "0-50e-51b3f282"
< Accept-Ranges: bytes
< Content-Length: 1294
< Content-Type: text/html
<

<html>
<head>
<title>E-Business Suite Home Page Redirect</title>
<meta http-equiv="REFRESH" content="1; URL=&lt;a href=" https:="" www.bbbb.org:8000="" oa_html="" appslogin"="">">https://www.bbbb.org:8000/OA_HTML/AppsLogin">
</head>
<body>
REMOVED
</body>
</html>
 * Connection #0 to host 172.16.200.1 left intact
 * Closing connection #0
 * SSLv3, TLS alert, Client hello (1):

Regards
Kurt

permanent link

answered 16 Jul '13, 02:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Jul '13, 05:52

Kurt, Extremely thankful for your reply.This is igniting interest to keep on learning/contributing from/to this community.I will check with the vendor of that software for any anomaly and update the thread. Thanks again.

(16 Jul '13, 07:39) krishnayeddula

.I will check with the vendor of that software for any anomaly and update the thread.

Thanks!

BTW: Just for my interest. Is it possible to name the vendor here?

(16 Jul '13, 07:46) Kurt Knochner ♦

I'm interested in the answer of their support. I guess (based on experience with all kinds of vendors), they will first claim, that it is not RFC compliant to omit the port. And I'm not really sure either (see above).

(16 Jul '13, 08:05) Kurt Knochner ♦

Kurt i just deleted the application vendor name for privacy reasons(my friend is following this thread too:))I will get back to you once the proxy folks respond to this issue.

(16 Jul '13, 08:16) krishnayeddula
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×40
×10

question asked: 15 Jul '13, 20:55

question was seen: 111,262 times

last updated: 16 Jul '13, 08:16

p​o​w​e​r​e​d by O​S​Q​A