I’ve stumbled across an error while trying to load an ssh key from a http url on VyOS 1.1.5. The server (IIS 7.5) would respond to the loadkey command with a 400 Bad Request, but a manual request typed using telnet would succeed.
Looking at network traffic via monitor … traffic detail, curl (used internally by loadkey) sends the following request:
GET /jberezanski.pub.sshd.txt HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET /jberezanski.pub.sshd.txt HTTP/1.1\r\n] [Message: GET /jberezanski.pub.sshd.txt HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: GET Request URI: /jberezanski.pub.sshd.txt Request Version: HTTP/1.1 User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8\177 zlib/184.108.40.206 libidn/1.15 libssh2/1.2.6\r\n Host: myserver.mydomain.local\r\n Accept: */*\r\n \r\n
Looks reasonable, except that the OpenSSL token ends with \177, which is ASCII 127 (0x7F, “DEL”). This character is disallowed in HTTP 1.1 header field values (the relevant RFC excerpts can be found here), so the server has the full right to reject the request.
I have no idea (and no way to test) whether this issue is caused by the way VyOS packages are built or if it came from upstream Debian. Has anyone else encountered it?