According to RFC 2818, Section 2: http://www.ietf.org/rfc/rfc2818.txt
"Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS precisely as you would use HTTP over TCP."
I have an application that connects to a web server on port 443 with a TLS/SSL client. After connecting, the TLS client sends an HTTP header and associated HTTP payload (all contained as application payload for the TLS/SSL client).
POST https://www.somehost.com/pubs/m_login HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: www.somehost.com
User-Agent: NativeHost
Content-Length: 50username=user%40example.com&password=password
I receive a 200 response from the server, indicating it got my request. However, the HTTP response body contains the actual server application response and this indicates a failure.
HTTP/1.1 200 OK
Date: Tue, 18 Mar 2014 02:47:43 GMT
Server: Apache/2.2.24 (FreeBSD) mod_fastcgi/2.4.6 mod_ssl/2.2.24 OpenSSL/0.9.8e DAV/2 mod_perl/2.0.8 Perl/v5.12.5
Cache-Control: no-cache, max-age=0
Pragma: no-cache0
Content-Length: 118
Set-Cookie: bcdb_session=cd12abe27a5c55e3a076763329cc0cd31e246751; path=/; expires=Tue, 01-Apr-2014 02:47:43 GMT; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml; charset=UTF-8<?xml version="1.0" encoding="UTF-8"?>
<appname>
<error>not_logged_in</error>
<status>error</status>
</appname>
When I use a client capable of HTTPS and send the send request headers and body, I get a successful response (Both a http 200 response and the response body indicates success).
HTTP/1.1 200 OK
Date: Tue, 18 Mar 2014 03:04:22 GMT
Server: Apache/2.2.24 (FreeBSD) mod_fastcgi/2.4.6 mod_ssl/2.2.24 OpenSSL/0.9.8e DAV/2 mod_perl/2.0.8 Perl/v5.12.5
Cache-Control: no-cache, max-age=0
Pragma: no-cache0
Content-Length: 84
Set-Cookie: bcdb_session=9c0e22a54d7fc28dbd19b748c287d1b25166d78c; path=/; expires=Tue, 01-Apr-2014 03:04:22 GMT; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml; charset=UTF-8<?xml version="1.0" encoding="UTF-8"?>
<appname>
<status>ok</status>
</appname>
I have tried to capture the network data for the two scenarios and compare them. I can capture the HTTPS client as it supports an HTTP-proxy (and I use Fiddler). The SSL/TLS client cannot use an HTTP proxy solution, but it supports a SOCKS proxy.
Two questions:
1) Any idea why there may be a different result using an HTTPS client vs. a TLS/SSL client?
2) Can someone recommend a SOCKS proxy to use that will provide similar access to the request/response data as Fiddler does?
Thanks, Mike