Skip to content

Instantly share code, notes, and snippets.

@gene1wood

gene1wood/zoom_CDN_does_not_work_with_if-none-matched_header_and_ETags.md

Last active December 20, 2025 17:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save gene1wood/5249118ad566eb349f4b85da2f8c9e8f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save gene1wood/5249118ad566eb349f4b85da2f8c9e8f to your computer and use it in GitHub Desktop.
Download ZIP
Zoom CDN does not work with If-Non-Matched header and ETags
Raw
zoom_CDN_does_not_work_with_if-none-matched_header_and_ETags.md

The problem

When fetching a file from the Zoom CDN, the Zoom webservers are not following the HTTP standard around the If-None-Match header. As a result, it's not possible for a client to attempt to fetch a file and only receive the file if it differs from the one they already have locally.

How to show the problem

You can reproduce this problem by first fetching a file and recording the ETag

curl -v --location --etag-save etag.txt --etag-compare etag.txt -i https://cdn.zoom.us/prod/6.7.0.6313/zoom_amd64.deb

then running the same command again, now that you have the ETag

curl -v --location --etag-save etag.txt --etag-compare etag.txt -i https://cdn.zoom.us/prod/6.7.0.6313/zoom_amd64.deb

The full output from the second run is below, but the crucial parts are

curl sends the if-none-match header

> GET /prod/6.7.0.6313/zoom_amd64.deb HTTP/2
> Host: cdn.zoom.us
> user-agent: curl/7.81.0
> accept: */*
> if-none-match: "e688f779a077c3d683d428d953645ae2-34"

The Zoom CDN responds with 200 instead of 304

Here, the Zoom CDN responds with a 200 instead of a 304 as it should. The response even shows that the server has the correct etag value.

< HTTP/2 200 
HTTP/2 200 
< date: Sat, 20 Dec 2025 17:27:15 GMT
date: Sat, 20 Dec 2025 17:27:15 GMT
< content-type: binary/octet-stream
content-type: binary/octet-stream
< content-length: 284868598
content-length: 284868598
< cf-cache-status: HIT
cf-cache-status: HIT
< accept-ranges: bytes
accept-ranges: bytes
< access-control-allow-origin: *
access-control-allow-origin: *
< age: 459070
age: 459070
< cache-control: public, max-age=31536000
cache-control: public, max-age=31536000
< etag: "e688f779a077c3d683d428d953645ae2-34"
etag: "e688f779a077c3d683d428d953645ae2-34"

What Zoom CDN should be returning

The response should instead be a 304 that looked something like this (I've made this up as an example)

HTTP/2 304 
< date: Sat, 20 Dec 2025 17:25:05 GMT
date: Sat, 20 Dec 2025 17:25:05 GMT
< etag: "e688f779a077c3d683d428d953645ae2-34"
etag: "e688f779a077c3d683d428d953645ae2-34"
< x-cache: HIT
x-cache: HIT
< x-cache-hits: 0
x-cache-hits: 0

The full output

Here is the full output of the second curl command where Zoom returns a 200 instead of a 304

curl -v --location --etag-save etag.txt --etag-compare etag.txt -i https://cdn.zoom.us/prod/6.7.0.6313/zoom_amd64.deb
*   Trying 170.114.46.1:443...
* Connected to cdn.zoom.us (170.114.46.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=Zoom Video Communications, Inc.; CN=*.zoom.us
*  start date: Feb  8 00:00:00 2025 GMT
*  expire date: Feb 11 23:59:59 2026 GMT
*  subjectAltName: host "cdn.zoom.us" matched cert's "*.zoom.us"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x56d5dca829f0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /prod/6.7.0.6313/zoom_amd64.deb HTTP/2
> Host: cdn.zoom.us
> user-agent: curl/7.81.0
> accept: */*
> if-none-match: "e688f779a077c3d683d428d953645ae2-34"
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
HTTP/2 200 
< date: Sat, 20 Dec 2025 17:27:15 GMT
date: Sat, 20 Dec 2025 17:27:15 GMT
< content-type: binary/octet-stream
content-type: binary/octet-stream
< content-length: 284868598
content-length: 284868598
< cf-cache-status: HIT
cf-cache-status: HIT
< accept-ranges: bytes
accept-ranges: bytes
< access-control-allow-origin: *
access-control-allow-origin: *
< age: 459070
age: 459070
< cache-control: public, max-age=31536000
cache-control: public, max-age=31536000
< etag: "e688f779a077c3d683d428d953645ae2-34"
etag: "e688f779a077c3d683d428d953645ae2-34"
< expires: Sun, 20 Dec 2026 17:27:15 GMT
expires: Sun, 20 Dec 2026 17:27:15 GMT
< last-modified: Mon, 15 Dec 2025 09:46:44 GMT
last-modified: Mon, 15 Dec 2025 09:46:44 GMT
< strict-transport-security: max-age=15552000; includeSubDomains
strict-transport-security: max-age=15552000; includeSubDomains
< vary: Origin
vary: Origin
< access-control-request-method: GET
access-control-request-method: GET
< cross-origin-resource-policy: cross-origin
cross-origin-resource-policy: cross-origin
< x-amz-server-side-encryption: AES256
x-amz-server-side-encryption: AES256
< set-cookie: __cf_bm=Hu3VA7YCMO4aPKyyNZIcDHbdGB8homQnQ4h2gMjCkbc-1766251635-1.0.1.1-uXTRgTv9SB6md0pyPHybVYCv2mGa7l2_Qdvsf44Y8mPsK4qCKa7Qvk01pfYN2suecac5v0whcd5q3S__xl0u9rs4w.SAmcHgAY8KT3LBhfY; path=/; expires=Sat, 20-Dec-25 17:57:15 GMT; domain=.cdn.zoom.us; HttpOnly; Secure; SameSite=None
set-cookie: __cf_bm=Hu3VA7YCMO4aPKyyNZIcDHbdGB8homQnQ4h2gMjCkbc-1766251635-1.0.1.1-uXTRgTv9SB6md0pyPHybVYCv2mGa7l2_Qdvsf44Y8mPsK4qCKa7Qvk01pfYN2suecac5v0whcd5q3S__xl0u9rs4w.SAmcHgAY8KT3LBhfY; path=/; expires=Sat, 20-Dec-25 17:57:15 GMT; domain=.cdn.zoom.us; HttpOnly; Secure; SameSite=None
< server: cloudflare
server: cloudflare
< cf-ray: 9b10d9722a2e938c-SJC
cf-ray: 9b10d9722a2e938c-SJC
< alt-svc: h3=":443"; ma=86400
alt-svc: h3=":443"; ma=86400

< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* stopped the pause stream!
* Connection #0 to host cdn.zoom.us left intact
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment