hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 37345] - ProxyCredentials disclosed to remote host
Date Thu, 03 Nov 2005 20:34:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37345>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37345





------- Additional Comments From olegk@apache.org  2005-11-03 21:34 -------
(In reply to comment #3)
> (In reply to comment #2) 
> [..] 
> > The preemptive authentication by itself is a hack and a security risk and  
> > should be avoided at all costs. 
> [..] 
>  
> Is there a other way than preemptive autentication to work around the problem 
> with Squid 2.4 mentioned in Bug 37197 ? 
> The Squid 2.4 problem was the reason why I had to enable preemptive 
> authentication. 

Michael,

HttpClient 3.0 API has several severe design flaws, one being really broken
tunneling support (see Bug 15534 for details). The problem could have been
solved by adding 'Proxy-connection: close' header to the CONNECT request, which
is, sadly, not possible with the existing API.

Oleg

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message