SAP Knowledge Base Article - Preview

3097897 - Issue with HTTP Headers Containing Carriage Return and Line Feed (CRLF)

Symptom

Inbound HTTP/SOAP/OData/AS2/AS4 call to Cloud Integration fails with HTTP 500 internal server error.

Example HTML response for SOAP call:

<head><title>HTTP Status 500 – Internal Server Error</title></head>

If a SOAP endpoint is called from another integration flow, the caller gets an error message with content:

org.apache.cxf.interceptor.Fault - Response was of unexpected text/html ContentType

Note that the actual error messages may differ if other HTTP-based adapters are involved.

Sometimes there is a Message Processing Log and you see one of the following error texts:

  • The request was rejected because the header value “…" is not allowed.
  • The request was rejected because the header value "/C=DE /ST=ÃŽle-de-France/CN=some_value” is not allowed.

This behavior is observed only in the following cases:

  • You run Cloud Integration in the Cloud Foundry environment.
  • You use Cloud Integration releases with version 2108 and higher (for older releases, the same call works without problems).
  • The client sends an HTTP header that includes CR LF (carriage return and line feed) or other illegal header characters, or the client uses mTLS with a client certificate that contains non-ASCII characters in the subject DN name.

For Kibana logs of the worker node the following applies:

  • Logs contain the matching HTTP request (type=request, layer=[CF.RTR]) with status code 500.
  • Near the request there's a log (note that parts can differ). The stacktrace contains one of the following strings:
    • org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the header value “…" is not allowed.
    • org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the header value "/C=DE /ST=ÃŽle-de-France/CN=some_value” is not allowed.

The first stack trace appears if the HTTP request contains an HTTP header with CRLF or an HTTP header with a non-ASCII character; the second stack trace appears if mTLS is used with a client certificate that contains non-ASCII characters in the subject DN name.

 


Read more...

Environment

SAP BTP Cloud Foundry environment

Keywords

SAP Cloud Integration, HTTP header, invalid character , KBA , LOD-HCI-PI-RT , Integration Runtime , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.