draft-ietf-tls-http-upgrade-04.txt   draft-ietf-tls-http-upgrade-05.txt 
Network Working Group R. Khare Network Working Group R. Khare
Internet-Draft 4K Associates / UC Irvine Internet-Draft 4K Associates / UC Irvine
Expires: April 21, 2000 S. Lawrence Expires: July 5, 2000 S. Lawrence
Agranat Systems, Inc. Agranat Systems, Inc.
October 22, 1999 January 5, 2000
Upgrading to TLS Within HTTP/1.1 Upgrading to TLS Within HTTP/1.1
draft-ietf-tls-http-upgrade-04.txt draft-ietf-tls-http-upgrade-05.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 21, 2000. This Internet-Draft will expire on July 5, 2000.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract Abstract
This memo explains how to use the Upgrade mechanism in HTTP/1.1 to This memo explains how to use the Upgrade mechanism in HTTP/1.1 to
initiate Transport Layer Security (TLS) over an existing TCP initiate Transport Layer Security (TLS) over an existing TCP
connection. This allows unsecured and secured HTTP traffic to share connection. This allows unsecured and secured HTTP traffic to share
the same well known port (in this case, http: at 80 rather than the same well known port (in this case, http: at 80 rather than
https: at 443). It also enables "virtual hosting," so a single HTTP https: at 443). It also enables "virtual hosting," so a single HTTP
+ TLS server can disambiguate traffic intended for several hostnames + TLS server can disambiguate traffic intended for several hostnames
at a single IP address. at a single IP address.
skipping to change at page 2, line 20 skipping to change at page 2, line 20
This memo is intended to proceed directly to Proposed Standard, This memo is intended to proceed directly to Proposed Standard,
since its functionality has been extensively debated, but not since its functionality has been extensively debated, but not
implemented, over the last two years. It is expected to update RFC implemented, over the last two years. It is expected to update RFC
2616. 2616.
Table of Contents Table of Contents
1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Requirements Terminology . . . . . . . . . . . . . . . . . . . 4
3. Client Requested Upgrade to HTTP over TLS . . . . . . . . . . 4 3. Client Requested Upgrade to HTTP over TLS . . . . . . . . . . 4
3.1 Optional Upgrade . . . . . . . . . . . . . . . . . . . . . . . 4 3.1 Optional Upgrade . . . . . . . . . . . . . . . . . . . . . . . 4
3.2 Mandatory Upgrade . . . . . . . . . . . . . . . . . . . . . . 4 3.2 Mandatory Upgrade . . . . . . . . . . . . . . . . . . . . . . 4
3.3 Server Acceptance of Upgrade Request . . . . . . . . . . . . . 5 3.3 Server Acceptance of Upgrade Request . . . . . . . . . . . . . 5
4. Server Requested Upgrade to HTTP over TLS . . . . . . . . . . 5 4. Server Requested Upgrade to HTTP over TLS . . . . . . . . . . 5
4.1 Optional Advertisement . . . . . . . . . . . . . . . . . . . . 5 4.1 Optional Advertisement . . . . . . . . . . . . . . . . . . . . 5
4.2 Mandatory Advertisement . . . . . . . . . . . . . . . . . . . 5 4.2 Mandatory Advertisement . . . . . . . . . . . . . . . . . . . 5
5. Upgrade across Proxies . . . . . . . . . . . . . . . . . . . . 6 5. Upgrade across Proxies . . . . . . . . . . . . . . . . . . . . 6
5.1 Implications of Hop By Hop Upgrade . . . . . . . . . . . . . . 6 5.1 Implications of Hop By Hop Upgrade . . . . . . . . . . . . . . 6
5.2 Requesting a Tunnel with CONNECT . . . . . . . . . . . . . . . 6 5.2 Requesting a Tunnel with CONNECT . . . . . . . . . . . . . . . 7
5.3 Establishing a Tunnel with CONNECT . . . . . . . . . . . . . . 7 5.3 Establishing a Tunnel with CONNECT . . . . . . . . . . . . . . 7
6. Rationale for the use of a 4xx (client error) Status Code . . 8 6. Rationale for the use of a 4xx (client error) Status Code . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7.1 HTTP Status Code Registry . . . . . . . . . . . . . . . . . . 8 7.1 HTTP Status Code Registry . . . . . . . . . . . . . . . . . . 8
7.2 HTTP Upgrade Token Registry . . . . . . . . . . . . . . . . . 8 7.2 HTTP Upgrade Token Registry . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8.1 Implications for the https: URI Scheme . . . . . . . . . . . . 10 8.1 Implications for the https: URI Scheme . . . . . . . . . . . . 10
8.2 Security Considerations for CONNECT . . . . . . . . . . . . . 10 8.2 Security Considerations for CONNECT . . . . . . . . . . . . . 10
References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
1. Motivation 1. Motivation
skipping to change at page 4, line 18 skipping to change at page 4, line 18
Either the client or server can use the HTTP/1.1[1] Upgrade Either the client or server can use the HTTP/1.1[1] Upgrade
mechanism (Section 14.42) to indicate that a TLS-secured connection mechanism (Section 14.42) to indicate that a TLS-secured connection
is desired or necessary. This draft defines the "TLS/1.0" Upgrade is desired or necessary. This draft defines the "TLS/1.0" Upgrade
token, and a new HTTP Status Code, "426 Upgrade Required". token, and a new HTTP Status Code, "426 Upgrade Required".
Section 3 and Section 4 describe the operation of a directly Section 3 and Section 4 describe the operation of a directly
connected client and server. Intermediate proxies must establish an connected client and server. Intermediate proxies must establish an
end-to-end tunnel before applying those operations, as explained in end-to-end tunnel before applying those operations, as explained in
Section 5. Section 5.
2.1 Requirements Terminology
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as
described in RFC 2119[11].
3. Client Requested Upgrade to HTTP over TLS 3. Client Requested Upgrade to HTTP over TLS
When the client sends an HTTP/1.1 request with an Upgrade header When the client sends an HTTP/1.1 request with an Upgrade header
field containing the token "TLS/1.0", it is requesting the server to field containing the token "TLS/1.0", it is requesting the server to
complete the current HTTP/1.1 request after switching to TLS/1.0. complete the current HTTP/1.1 request after switching to TLS/1.0.
3.1 Optional Upgrade 3.1 Optional Upgrade
A client MAY offer to switch to secured operation during any clear A client MAY offer to switch to secured operation during any clear
HTTP request when an unsecured response would be acceptable: HTTP request when an unsecured response would be acceptable:
skipping to change at page 11, line 26 skipping to change at page 11, line 34
Historical Information; Also available in: Luotonen, Ari. Web Historical Information; Also available in: Luotonen, Ari. Web
Proxy Servers, Prentice-Hall, 1997 ISBN:0136806120) Proxy Servers, Prentice-Hall, 1997 ISBN:0136806120)
draft-luotonen-web-proxy-tunneling-01, August 1998. draft-luotonen-web-proxy-tunneling-01, August 1998.
[9] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, June [9] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, June
1999. 1999.
[10] Narten, T. and H.T. Alvestrand, "Guidelines for Writing an [10] Narten, T. and H.T. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, October 1998. IANA Considerations Section in RFCs", BCP 26, October 1998.
[11] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997.
Authors' Addresses Authors' Addresses
Rohit Khare Rohit Khare
4K Associates / UC Irvine 4K Associates / UC Irvine
3207 Palo Verde 3207 Palo Verde
Irvine, CA 92612 Irvine, CA 92612
US US
Phone: +1 626 806 7574 Phone: +1 626 806 7574
EMail: rohit@4K-associates.com EMail: rohit@4K-associates.com
skipping to change at page 13, line 7 skipping to change at page 13, line 7
o Jim Whitehead, for sorting out the current range of available o Jim Whitehead, for sorting out the current range of available
HTTP status codes. HTTP status codes.
o Henrik Frystyk Nielsen, whose work on the Mandatory extension o Henrik Frystyk Nielsen, whose work on the Mandatory extension
mechanism pointed out a hop-by-hop Upgrade still requires mechanism pointed out a hop-by-hop Upgrade still requires
tunneling. tunneling.
o Harald Alvestrand for improvements to the token registration o Harald Alvestrand for improvements to the token registration
rules. rules.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implmentation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/