Header Folding, Nginx, Jetty and Estonian ID-card

25 March 2017

Upgrading to Jetty 9.3 can bring surprises, for example Estonian ID-card support can break, caused by errors related to header folding.

The problem is related to the way Nginx sends headers. ID card integrations with Nginx use the $ssl_client_cert variable. The Nginx documentation says:

$ssl_client_cert

returns the client certificate in the PEM format for an established SSL connection, with each line except the first prepended with the tab character; this is intended for the use in the proxy_set_header directive;

But according to RFC7230, header folding in http requests is deprecated. Since the Jetty developers have decided to use RFC7230 starting from jetty 9.3, you can see that this would break ID card support.

Solution

As the discussion on the Nginx tracker regarding this has gone nowhere, you would have to edit the source and compile Nginx yourself to fix it.

Luckily there is an option to use the old RFC compliance level. To change it, uncomment the jetty.http.compliance option in Jetty's start.ini and set it to RFC2616.

This option will probably be removed in a future release of Jetty, so beware when upgrading.