Upgrade TLS Connection support (RFC 2817)

[torahmike]

It would be great to have the ability to detect incoming non-SSL connection requests when running in SSL mode and upgrade them to SSL.

RFC - https://tools.ietf.org/html/rfc2817

Apache supports this since version 2.1

[alexlehm]

I wonder if that is used at all, most web pages use a 301 redirect to switch to https and the virtual ssl hosting is solved by creating subject alt names in the certificate

[torahmike]

That would work only in situations where the default ports 80/443 are used. There's no way I know of to promote a connection on the same port within Vert.x, currently.

[alexlehm]

Obviously its not possible on a single port but there is really no use case where a client connects to a http connection on a high port just to upgrade to ssl, either the connection has to be ssl where the client will connect with ssl first hand or it is optional in which case 2 ports are the preferred solution I would think.

[techsavvyme]

RFC 2817 specifies the two port solution is not practical and was specifically written to prevent multiple 2 port solutions. This problem rears its head specifically when using IPP (an Apache HTTP module written to support IPP). Apache HTTP "SSLEngine optional" directive does not appear to work properly when RFC 2817 section 3.2 Mandatory Upgrade is sent by IPP client. Apache responds with Section 3.3 Server Acceptance of Upgrade Request (HTTP/1.1 101 Switching Protocols), but then does not complete the response as specified by HTTP/1.1 Section 10.1.2. So Apache is basically broken and does not properly support RFC 2817 Upgrade. BTW - All IPP clients that I have worked with do not support 301 Redirect, so the only fix to this problem would be support for RFC 2817.