Well, it's a little bit late feedback, but I wanted to document the results.
The Gargoyle login issue described by me at Dec 31, 2013, was checked by Avast developers, and following conclusions were made (in early January 2014, but I forgot to write back here):
The root cause is in Gargoyle firmware. During login to the webgui, the Gargoyle webserver sends back incorrect/corrupt HTTP response.
This is the corrupt response by Gargoyle:
Code: Select all
HTTP/1.0 302 Found
Server: httpd_gargoyle/1.0 14mar2008
Date: Mon, 06 Jan 2014 17:22:30 GMT
Expires: Mon, 06 Jan 2014 17:22:30 GMT
HTTP/1.1 301 Moved Permanently
Location: login.sh
- There is 2 HTTP headers inside one HTTP answer. In the one server response MUST NOT exists two HTTP version headers (HTTP/1.0 302, HTTP/1.1 301) - that is against RFC.
- In the end of response is missing CRLF (http://www.ietf.org/rfc/rfc1945.txt, section 2.2 Basic Rules)
As a result, Avast webshield (aswStreamFilter.dll 9.0.2011.265) marked the connection as non-HTTP traffic and then performed disconnect.
Avast however wrote a workaround in their aswStreamFilter.dll as a quick solution. The aswStreamFilter.dll later versions contain fix for this case so that Avast accepts that traffic during parsing response and the connection keeps alive. The aswStreamFilter.dll later versions (for example 9.0.2013.292) are working correctly with Gargoyle.
Note: My tests were done in Gargoyle 1.5.11. I don't know whether 1.6.0 made any change related to it.
Should this be reported to Gargoyle developers, and how?