[Solved] Header showing 200 OK but title 400 Bad Request

[thehelpdesk]

We're having trouble passing PCI Compliance testing because it seems that LiteSpeed Web Server is outputting a 200 OK header with just a title of 400 Bad Request. How can we get LSWS to stop this behavior?

We have tried different LSWS versions with and without custom ErrorDocument statements. The current LSWS version is installed, Enterprise 4.1.9.

Here is an example (with the domain name changed) of the test failure:

[root@server /]# curl --max-time 10 -iskL 'http://www.domain.com:443/info.php'
HTTP/1.0 200 OK
Cache-Control: private, no-cache, max-age=0
Pragma: no-cache
Connection: Close

<html><head><title>400 Bad Request</title></head><body>
<h2>HTTPS is required</h2>
<p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br />
<blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p>
<hr />
Powered By LiteSpeed Web Server<br />
<a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a>
</body></html>

 

[webizen]

try https instead.

curl --max-time 10 -iskL 'https://www.domain.com:443/info.php'

 

[thehelpdesk]

That is not an option. The command line that I listed is what McAfee Secure servers are running intentionally to test the server for PCI Compliance. The actual file info.php does not exist, it's part of their test of the web server software.

All of our other web servers pass the test just fine (Apache and IIS). However, our LSWS servers will not pass the test. McAfee indicates this is an error on the part of the web server and will not pass any of our sites on the LSWS servers or grant an exception.

 

[mistwang]

Looks like apache reply does not have any response header, just response body directly.
can you confirm it? we certainly can change LiteSpeed response accordingly.

 

[thehelpdesk]

While we cannot confirm what the ASV is looking for (they won't tell us), it would be safe to assume that based on their responses that the problem is the status code 200 OK that LSWS is returning.

You are correct that Apache and other servers appear to just return a blank header and just the body. An example of a passing server is below:

[root@server /]# curl --max-time 10 -iskL 'http://www.domain.com:443/info.php'
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
<blockquote>Hint: <a href="https://domain.com/"><b>https://domain.com/</b></a></blockquote></p>
</body></html>
[root@server /]#

 

[webizen]

will let you know once a fix is available.

 

[mistwang]

Please try the latest build of 4.1.10.

 

[thehelpdesk]

[solved]

With the upgrade to version 4.1.10 the issue appears to now be fixed. LSWS is returning a page without the header status. There's no doctype. But, the return value is now passing the ASV tests.