hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Johnson <e...@tibco.com>
Subject Re: Question about HttpConnection
Date Thu, 27 Feb 2003 14:47:15 GMT

I think this relates directly to the posting today by Jani Mattsson.  As 
best I understand it, when using HTTPS to connect via a proxy server, 
the connection to the proxy server itself is not encrypted (the CONNECT 
method goes to the proxy server unencrypted).  Only once the connection 
has been established with the proxy server does encryption get thrown 
on.  From that point on, the proxy server doesn't need to see the 
contents of the connection, merely pass the bytes through on an open 
socket.  (Although it occurs to me that proxy servers could launch 
"man-in-the-middle" attacks on the exchange, so HTTPS via a proxy server 
is no more secure than the extent to which you trust your proxy server). 
 Someone who understands proxies better than I might be able to provide 
more info.

Thus, Jani's problem arises, wherein, should a retry become necessary, 
and the connection has been closed by the remote server or the proxy, 
then HttpMethodBase does not do the right thing to reopen the 
connection.  Yet one more reason to move the retry logic - and perhaps 
we cannot afford to wait until after 2.0 final for this one.


Michael Becke wrote:

> I found something in HttpConnection that I'm curious about.  I think I 
> may have actually written it, but I am not sure why.  The following 
> code is from HttpConnection.open():
>             final ProtocolSocketFactory socketFactory =
>                 (isSecure()
>                     && !isProxied()
>                         ? protocolInUse.getSocketFactory()
>                         : new DefaultProtocolSocketFactory());
> Essentially, on open, the connection is only using the protocol socket 
> factory for non-proxied secure connections.  It seems like it should 
> be using the protocol factory for all connections except when proxied 
> and SSL.  Does this sound correct?
> Mike
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org

View raw message