Apache closes Keep-Alive connection after HTTP 401

This document (000020590) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server 15 SP2 
SUSE Linux Enterprise Server 15 SP3


Situation

Change in behavior of handling 'Expect: 100-Continue' in apache-2.4.51-35.4.1 with respect to the older apache-2.4.23-29.80.1.

With the new apache 2.4.51-35.4.1 released on SLES 12-SP5, when the 'Expect: 100-Continue' is set, apache closes the connection when it receives final response from the backend, even if 'keepalive' bit is set.

For example, if the backend requires authentication, and it receives POST request from the client with no authentication information, then it sends final answer to the fronted (apache), which in turn, closes the connection with the client, unlike previous versions of apache which kept the connection alive. (apache versions prior to 2.4.48).

Resolution

If the above new behavior is causing issues, the client can take one of the following approaches:

1. Send the required authentication data with the initial request, setting 'Expect: 100-Continue'.

2. Don't set 'Expect: 100-Continue' in the request header, and simply push the whole body together with the initial request header.

Additional Information

When the client is using the 'Expect: 100-Continue' feature, the following events occur with apache version >= 2.4.48.

1. Initial TCP connection to the server.
2. Client send initial request, without the body
3. The client then waits for a response from the server.

   a. If the server receives a final status code from the backend, then it forwards that to the client, closing the inital connection established in 1.
   b. If the status code is 100-Continue, the request body is sent to the server

4. The client then waits for response from the server
5. if Keep-alive is set, a new request can be repeated from step 2.

On the other hand, prior to version 2.4.48, on step 'a', apache forwards the answer received from the backend, but doesn't close the connection if keep-alive is set.

The change is intended in order to comply to rfc7231#page-35 see https://datatracker.ietf.org/doc/html/rfc7231#page-35
for more details. Actually after step 'a', the server has no way to determine if the next data send from the client is the request body for the previous request or a new request. And thus closing the connection in case of 'a' should avoid request smuggling attacks.

 

The update is required in order to get TLS 1.3.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020590
  • Creation Date: 18-Feb-2022
  • Modified Date:23-Feb-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center