[stunnel-users] Incompatibility - Content-length parsing

Marcin Gryszkalis mg at fork.pl
Wed May 13 13:38:33 CEST 2015


I noticed that parsing of HTTP header fields is not robust enough and 
not RFC compliant - and that way it casues incompatibility with 
Microsoft TMG proxy with NTLM authentication.

The symptom is "Proxy-Authenticate: Invalid Content-Length" message 
while the header received is "Content-Length: 0     " <- note trailing 

The responsible piece of code is in protocol.c:
if(tmpstr==line+16 || *tmpstr || content_length<0) {

(tmpstr contains trailing spaces in this case).

According to RFC 7230 trailing space is allowed and should be discarded 
by parser:

    A field value might be preceded and/or followed by optional
    whitespace (OWS); a single SP preceding the field-value is preferred
    for consistent readability by humans.  The field value does not
    include any leading or trailing whitespace: OWS occurring before the
    first non-whitespace octet of the field value or after the last
    non-whitespace octet of the field value ought to be excluded by
    parsers when extracting the field value from a header field.

best regards

Marcin Gryszkalis, PGP 0xA5DBEEC7
jabber jid:mg at fork.pl

More information about the stunnel-users mailing list