[Full-Disclosure] Re: Web server http protocol version support
Maarten Van Horenbeeck
maarten at daemon.be
Fri Nov 12 14:48:13 GMT 2004
In RFC 2616, describing version 1.1 of the Hypertext Transfer Protocol, it
is described that the specification expects HTTP/1.1 servers to respond
appropriately with a message in "the same major version used by the
client". However, this is not in compliance with another RFC, 2145,
which explicitly states that a server should send the highest version it
supports, but "may" send a lower version in case it is suspected that the
client may not handle the higher version correctly.
This means that an HTTP/0.9 request is usually responded to with an
HTTP/0.9 reply. An HTTP/1.0 request can be responded to with either an
HTTP/1.0 or HTTP/1.1 reply. This is done because in versions prior to
"major version" 1, no version numbers where used, which would make it
harder for a 0.9 version to identify the server side.
A while back I tested this on a number of web servers. When sending an
HTTP/0.9 request to an Apache 1.3.31 or SunONE web server, I did in fact
receive an HTTP/0.9 reply. These are easy to identify as they don't even
contain headers or a version number, just the pure html. When I did the
same with an IIS 5 or 6, I received an HTTP/1.1 reply. Both of these are
acceptable, but the Apache/SunONE response is technically "more correct",
as it avoids client interpretation problems.
I've used this quite often to identify a web server when the Server:
header has been obfuscated. Used together with other items specific to
certain server types (encoding, default settings such as keepalive), this
is quite reliable.
Maarten Van Horenbeeck, GCIA <maarten at daemon.be>
Full-Disclosure is hosted and sponsored by Secunia.