Full Disclosure mailing list archives
Re: Web server http protocol version support
From: Maarten Van Horenbeeck <maarten () daemon be>
Date: Fri, 12 Nov 2004 14:48:13 +0000 (GMT)
Hi Marc, In RFC 2616, describing version 1.1 of the Hypertext Transfer Protocol, it is described that the specification expects HTTP/1.1 servers to respond appropriately with a message in "the same major version used by the client". However, this is not in compliance with another RFC, 2145, which explicitly states that a server should send the highest version it supports, but "may" send a lower version in case it is suspected that the client may not handle the higher version correctly. This means that an HTTP/0.9 request is usually responded to with an HTTP/0.9 reply. An HTTP/1.0 request can be responded to with either an HTTP/1.0 or HTTP/1.1 reply. This is done because in versions prior to "major version" 1, no version numbers where used, which would make it harder for a 0.9 version to identify the server side. A while back I tested this on a number of web servers. When sending an HTTP/0.9 request to an Apache 1.3.31 or SunONE web server, I did in fact receive an HTTP/0.9 reply. These are easy to identify as they don't even contain headers or a version number, just the pure html. When I did the same with an IIS 5 or 6, I received an HTTP/1.1 reply. Both of these are acceptable, but the Apache/SunONE response is technically "more correct", as it avoids client interpretation problems. I've used this quite often to identify a web server when the Server: header has been obfuscated. Used together with other items specific to certain server types (encoding, default settings such as keepalive), this is quite reliable. Cheers, Maarten -- Maarten Van Horenbeeck, GCIA <maarten () daemon be> http://www.daemon.be/maarten _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Web server http protocol version support Marc Ruef (Nov 08)
- <Possible follow-ups>
- Re: Web server http protocol version support Maarten Van Horenbeeck (Nov 12)