hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Sutton <adr...@intencha.com>
Subject Re: DO NOT REPLY [Bug 20089] - Authentication fails with proxied SSL Connections
Date Thu, 22 May 2003 06:52:57 GMT

On Thursday, May 22, 2003, at 04:18  PM, Ortwin Gl├╝ck wrote:

> bugzilla@apache.org wrote:
>> This would never have worked reliably (though now it is 100% 
>> guaranteed to fail so it is worse than before).  Previously it just 
>> appeared as one of the IOExceptions that were thrown by HttpClient a 
>> lot, all of these have now been fixed so the problem comes through as 
>> it initially was.
>
> Well, as far as I can tell it used to work very well. At least it does 
> in all configurations that we used it in. Of course it's good to have 
> the original problem now instead of some anonymous IOException.

I'd have to defer to Oleg and Mike on this one as they looked into the 
original reusing a proxied SSL connection problem, possibly there was 
some detail that I've missed, but I thought it was generally unreliable 
because if the server timed out the connection HttpClient couldn't 
recreate it and would have to throw an IOException or 
HttpRecoverableException.

Mike, Oleg, was there a way to fix proxied SSL connections that was 
just too messy to include for 2.0?  Perhaps Odi could make that change 
in a private fork if this is a feature that he requires.

>
>> In addition, back around December, HttpClient couldn't connect to SSL 
>> URLs through a proxy at all (there was no connect method) so this is 
>> really just incomplete support for a new feature.
>
> I know perfectly, as I wrote the initial version of the Connect method 
> :-) SSL authentication through proxies was a core feature we needed 
> (and still need) in our application. However we are still using an old 
> nightly build, since there is no money spent on the project currently.

Ah, sorry. :)  I've got my head stuck in some other work so I didn't 
really pay attention to who I was talking to.  We just upgraded to take 
advantage of the Connect method so thanks!

>> I should also note that you can work around this issue if you 
>> setDoAuthentication(false) then manage authentication yourself.
>
> Okay, if we put this problem with the known workaround in the 
> documentation then it should be okay. Can this be worked around by 
> preemptive authentication as well?

I'd imagine so, but that would then require using basic authentication 
(which shouldn't be a problem over SSL).  Essentially, as long as the 
server doesn't close the request with a response that HttpClient will 
retry for (redirect and authentication are the two I know of).  The 
problem would appear if the server requested a redirect and closed the 
connection as well, however most servers seem to keep the connection 
open when sending redirect responses back.  So if you can configure 
your server to not close the connection when it rejects authentication, 
that would be another workaround.

> Odi

Regards,

Adrian Sutton.


Mime
View raw message