Vut Submit a new link. Views Read Edit View history. Freedom of the Press Foundation. Do you have something funny to share with fellow programmers?

Author:Togar Tuktilar
Language:English (Spanish)
Published (Last):8 January 2006
PDF File Size:12.97 Mb
ePub File Size:17.58 Mb
Price:Free* [*Free Regsitration Required]

Please refer to the current edition of the "Internet Official Protocol Standards" STD 1 for the standardization state and status of this protocol. Distribution of this memo is unlimited. All Rights Reserved. This allows unsecured and secured HTTP traffic to share the same well known port in this case, http: at 80 rather than https: at Upgrade across Proxies. Rationale for the use of a 4xx client error Status Code.

IANA Considerations. Security Considerations. Parallel well-known port numbers have similarly been requested -- and in some cases, granted -- to distinguish between secured and unsecured use of other application protocols e. This approach effectively halves the number of available well known ports. In fact, nothing in this memo affects the current interpretation of https: URIs. The Upgrade mechanism also solves the "virtual hosting" problem.

Introduction TLS, a. Initially, a handshake phase uses three subprotocols to set up a record layer, authenticate endpoints, set parameters, as well as report errors.

Then, there is an ongoing layered record protocol that handles encryption, compression, and reassembly for the remainder of the connection. The latter is intended to be completely transparent. Section 3 and Section 4 describe the operation of a directly connected client and server. Intermediate proxies must establish an end-to-end tunnel before applying those operations, as explained in Section 5.

In conjunction with the " Upgrade Required" status code, a server can advertise the exact protocol upgrade s that a client MUST accept to complete the request. Note that even if a client is willing to use TLS, it must use the operations in Section 3 to proceed; the TLS handshake cannot begin immediately after the response. If a User Agent sends a request with an Upgrade header to a proxy, it is requesting a change to the protocol between itself and the proxy, not an end-to-end change.

Since TLS, in particular, requires end-to-end connectivity to provide authentication and prevent man-in-the-middle attacks, this memo specifies the CONNECT method to establish a tunnel across proxies. Once a tunnel is established, any of the operations in Section 3 can be used to establish a TLS connection.

Similarly, a proxy might return a response to its client to change the protocol on that connection independently of the protocols it is using to communicate toward the origin server.

These scenarios also complicate diagnosis of a response. Since Upgrade is a hop-by-hop header, a proxy that does not recognize might remove the accompanying Upgrade header and prevent the client from determining the required protocol switch. If a client receives a status without an accompanying Upgrade header, it will need to request an end to end tunnel connection as described in Section 5. This hop-by-hop definition of Upgrade was a deliberate choice. It allows for incremental deployment on either side of proxies, and for optimized protocols between cascaded proxies without the knowledge of the parties that are not a part of the change.

The usual caveats also apply: data may be discarded if the eventual response is negative, and the connection may be reset with no response if more than one TCP segment is outstanding. It may be the case that the proxy itself can only reach the requested origin server through another proxy. If at any point either one of the peers gets disconnected, any outstanding data that came from that peer will be passed to the other one, and after that also the other connection will be terminated by the proxy.

If there is outstanding data to that peer undelivered, that data will be discarded. Rationale for the use of a 4xx client error Status Code Reliable, interoperable negotiation of Upgrade features requires an unambiguous failure signal. The Upgrade Required status code allows a server to definitively state the precise protocol extensions a given resource must be served with. User agents that do not understand Upgrade: preclude this.

Suppose that a 3xx code had been assigned for "Upgrade Required"; a user agent that did not recognize it would treat it as It would then properly look for a "Location" header in the response and attempt to repeat the request at the URL in that header field.

The initial values for this name space are those specified by: 1. Web Distributed Authoring and Versioning [ 4 ] [defines ] 3. Each registered token should be associated with one or a set of specifications, and with contact information.

A token, once registered, stays registered forever. The registration MUST name a responsible party for the registration. The registration MUST name a point of contact. The registration MAY name the documentation required for the token. The responsible party MAY change the registration at any time. The IANA will keep a record of all such changes, and make them available upon request.

The responsible party for the first registration of a "product" token MUST approve later registrations of a "version" token together with that "product" token before they can be registered. This will normally only be used in the case when a responsible party cannot be contacted. Since TLS compliance should be considered a feature of the server and not the resource at hand, it should be sufficient to send it once, and let clients cache that fact.

The choice of what security characteristics are required on the connection is left to the client and server. This allows either party to use any information available in making this determination.

First, such authorization should be limited to a small number of known ports. The Upgrade: mechanism defined here only requires onward tunneling at port Second, since tunneled data is opaque to the proxy, there are additional risks to tunneling to other well-known or reserved ports.

References [ 1 ] Fielding, R. Also available in: Luotonen, Ari. The definition provided here is derived directly from that earlier memo, with some editorial changes and conformance to the stylistic conventions since established in other HTTP specifications. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.

However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.



Google Network Working Group E. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. All Rights Reserved. This document documents that practice using TLS. Table of Contents 1. Requirements Terminology.



When the TLS handshake has finished. The client may then initiate the first HTTP request. Normal HTTP behavior, including retained connections should be followed. Connection Closure TLS provides a facility for secure connection closure. When a valid closure alert is received, an implementation can be assured that no further data will be received on that connection. A TLS implementation MAY, after sending a closure alert, close the connection without waiting for the peer to send its closure alert, generating an "incomplete close". Note that an implementation which does this MAY choose to reuse the session.


Please refer to the current edition of the "Internet Official Protocol Standards" STD 1 for the standardization state and status of this protocol. Distribution of this memo is unlimited. All Rights Reserved. This allows unsecured and secured HTTP traffic to share the same well known port in this case, http: at 80 rather than https: at Upgrade across Proxies.

Related Articles