Skip to content

httpRelayServer: restore POST body handling and add HTTPS/TLS support #2034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

httpRelayServer: restore POST body handling and add HTTPS/TLS support #2034

wants to merge 3 commits into from

Conversation

Coontzy1
Copy link

@Coontzy1 Coontzy1 commented Sep 6, 2025

httpRelayServer: restore POST body handling and add HTTPS/TLS support
This commit makes two improvements to httprelayserver.py:

  1. Restore POST body draining logic (httpRelayServer: read body content for POST requests #913):

    • Re-applies fix originally merged in 2021 by Rcarnus.
    • Ensures POST request bodies are consumed before returning 401 Unauthorized.
    • Fixes WSUS and other web clients that retry authentication on the same TCP stream.

  2. Add HTTPS/TLS support with improved logging:

    • Introduce optional SSL context when --https, --certfile, and --keyfile are provided.
    • Wrap inbound sockets with TLS, logging negotiated protocol/cipher on success.
    • On failures, log SSL error details, flagging early EOFs (likely client cert rejection).
    • Add startup banner showing port, IPv6/HTTPS status for clarity.

Together these changes allow ntlmrelayx to:

  • Correctly handle WSUS POST-based authentication flows.
  • Relay over HTTPS endpoints (e.g., WSUS 8531) with real certs or self-signed.
  • Provide more useful debug information for operators.

@Coontzy1
httpRelayServer: restore POST body handling and add HTTPS/TLS support
570d173 
This commit makes two improvements to httprelayserver.py:

1. Restore POST body draining logic (fortra#913):
   - Re-applies fix originally merged in 2021 by Rcarnus.
   - Ensures POST request bodies are consumed before returning 401 Unauthorized.
   - Fixes WSUS and other web clients that retry authentication on the same TCP stream.

2. Add HTTPS/TLS support with improved logging:
   - Introduce optional SSL context when --https, --certfile, and --keyfile are provided.
   - Wrap inbound sockets with TLS, logging negotiated protocol/cipher on success.
   - On failures, log SSL error details, flagging early EOFs (likely client cert rejection).
   - Add startup banner showing port, IPv6/HTTPS status for clarity.

Together these changes allow ntlmrelayx to:
- Correctly handle WSUS POST-based authentication flows.
- Relay over HTTPS endpoints (e.g., WSUS 8531) with real certs or self-signed.
- Provide more useful debug information for operators.
@Coontzy1
Added comment explaining part of code
458c694
@Coontzy1
Merge remote-tracking branch 'upstream/master'
2cc4496
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Coontzy1