Abhiman Tiwari

Abhiman Tiwari

Program Manager, DEV Advocate!

ARR rejecting HTTPS requests with http-error code-400

1 minute read

When you use ARR (Application Request Routing) as reverse proxy/ front end to your application server, as you know, requests to your application goes to the ARR server first. And (as usual) if the client (i.e., browser) to ARR communication is happening over HTTPS, after performing the SSL handshake on your application’s behalf, ARR forwards the client requests to the backend server which is running your application code.

ARR attaches a special request header X-ARR-SSL to every request coming over HTTPS. And it contains information about SSL server certificate which was used to secure TCP communication between client (i.e., browser) and ARR server.

The backend http.sys detects the value of the X-ARR-SSL header, and it terminates the connection with http status code 400, when it finds any Non-HTTP.SYS/RFC complaint value in it.
As in the example shown below, we have O=HS unknown character in the certificate properly.

Note – O=HS // it’s the Norwegian «Ø» character.

- Http: Request, GET /test.htm
    Command: GET
  + URI: /test.htm
    ProtocolVersion: HTTP/1.1
    Connection:  Keep-Alive
    Accept:  text/html, application/xhtml+xml, image/jxr, */*
    Accept-Encoding:  gzip, deflate
    Accept-Language:  en-US
    Host:  abc.xyz.com
    Max-Forwards:  10
    UserAgent:  Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
    dnt:  1
    X-Original-URL:  /testsite/test.htm
    X-Forwarded-For:  [fe80::xxx:3489:d647:454b%6]:63354
    X-ARR-SSL:  2048|256|DC=no, DC=hfdrift, DC=iam, CN=SD3-CA-IAM-01|C=NO, L=Drammen, O=HS, OU=STHF, CN=abc.xyz.com
    X-ARR-LOG-ID:  83df8fbe-d6f9-4651-9d02-4f2888ef83d8
    HeaderEnd: CRLF


Notice that any unknown character e.g., one shown above, would be ideally pulled from the Certificate properties itself. The backend HTTP.SYS instantly rejected the request with status code- 400, when it find any such character, as shown below –

- Http: Response, HTTP/1.1, Status: Bad request, URL: /test.htm
    ProtocolVersion: HTTP/1.1
    StatusCode: 400, Bad request
    Reason: Bad Request
  + ContentType:  text/html; charset=us-ascii
    Server:  Microsoft-HTTPAPI/2.0
    Date:  Thu, 08 May 2021 07:47:40 GMT
    Connection:  close
    ContentLength:  311
    HeaderEnd: CRLF
  + payload: HttpContentType =  text/html; charset=us-ascii


Suggestion: Verify the certificate which you are using, and check the properly if there is any unknown character. If so, work with the certificate provider to fix the same.


PS – You can also use this value (“X-ARR-SSL”) to detect if the call to your application was made over HTTP or HTTPS.

Comments

You May Also Enjoy

Saving Bot Activities in Azure SQL Database

5 minute read

In this blog post, we’ll walkthrough of how to integrate Bot Framework v4 SDK with Azure SQL Database and save Bot activities/ conversations into the databas...

Heap corruption crash dump collection

3 minute read

A heap corruption is defined as a problem that violates the heap’s integrity and produces unexpected behavior in an application. It can happen if dynamic mem...