Vut Submit a new link. Views Read Edit View history. Freedom of the Press Foundation. Do you have something funny to share with fellow programmers?
|Published (Last):||5 October 2005|
|PDF File Size:||17.79 Mb|
|ePub File Size:||10.58 Mb|
|Price:||Free* [*Free Regsitration Required]|
It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. All Rights Reserved. This document documents that practice using TLS. Table of Contents 1. Requirements Terminology. Connection Initiation. Connection Closure. Client Behavior. Server Behavior. Port Number. URI Format. Endpoint Identification. Server Identity. Client Identity. However, increased use of HTTP for sensitive applications has required security measures.
When the TLS handshake has finished. The client may then initiate the first HTTP request. Normal HTTP behavior, including retained connections should be followed. Connection Closure TLS provides a facility for secure connection closure. When a valid closure alert is received, an implementation can be assured that no further data will be received on that connection. A TLS implementation MAY, after sending a closure alert, close the connection without waiting for the peer to send its closure alert, generating an "incomplete close".
Note that an implementation which does this MAY choose to reuse the session. Client Behavior Because HTTP uses connection closure to signal end of server data, client implementations MUST treat any premature closes as errors and the data received as potentially truncated. While in some cases the HTTP protocol allows the client to find out whether truncation took place so that, if it received the complete reply, it may tolerate such errors following the principle to "[be] strict when sending and tolerant when receiving" [ RFC ], often truncation does not show in the HTTP protocol data; two cases in particular deserve special note: A HTTP response without a Content-Length header.
Since data length in this situation is signalled by connection close a premature close generated by the server cannot be distinguished from a spurious close generated by an attacker. Because TLS does not provide document oriented protection, it is impossible to determine whether the server has miscomputed the Content-Length or an attacker has truncated the connection.
There is one exception to the above rule. When encountering a premature close, a client SHOULD treat as completed all requests for which it has received as much data as specified in the Content-Length header. Clients MUST send a closure alert before closing the connection. In particular, servers SHOULD be prepared to receive an incomplete close from the client, since the client can often determine when the end of server data is.
When Content-Length is used, however, the client may have already sent the closure alert and dropped the connection. Servers MUST attempt to initiate an exchange of closure alerts with the client before closing the connection.
Servers MAY close the connection after sending the closure alert, thus generating an incomplete close on the client side. TLS only presumes a reliable connection-oriented data stream.
Endpoint Identification 3. As a consequence, the hostname for the server is known to the client. If the client has external information as to the expected identity of the server, the hostname check MAY be omitted. For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.
Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Matching is performed using the matching rules specified by [ RFC ].
If more than one identity of a given type is present in the certificate e. If the hostname does not match the identity in the certificate, user oriented clients MUST either notify the user clients MAY give the user the opportunity to continue with the connection in any case or terminate the connection with a bad certificate error. Note that in many cases the URI itself comes from an untrusted source. The above-described check provides no protection against attacks where this source is compromised.
In order to prevent this form of attack, users should carefully examine the certificate presented by the server to determine if it meets their expectations.
Security Considerations This entire document is about security. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.
However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. Rescorla Informational [Page 7] Html markup produced by rfcmarkup 1.
HTTP Over TLS
When the TLS handshake has finished. The client may then initiate the first HTTP request. Normal HTTP behavior, including retained connections should be followed. Connection Closure TLS provides a facility for secure connection closure. When a valid closure alert is received, an implementation can be assured that no further data will be received on that connection.
HTTPS RFC 2818 PDF
Google Network Working Group E. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. All Rights Reserved. This document documents that practice using TLS. Table of Contents 1.
It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. All Rights Reserved. This document documents that practice using TLS.