hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Fisk (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1318) Redirect to TLS site via TLS proxy fails - incorrectly marked as insecure target route
Date Mon, 11 Feb 2013 01:51:12 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13575595#comment-13575595
] 

Adam Fisk commented on HTTPCLIENT-1318:
---------------------------------------

It depends where you are and whether you are connecting to HTTP sites or HTTPS sites. In countries
where all network traffic is monitored, for example, connecting to an HTTPS proxy outside
of the use of HTTP CONNECT is very useful. This is actually a reality for almost 2 billion
people around the world, so certainly not an edge case.

HttpClient also clearly already supports this to some extent -- again that initial connection
to an SSL proxy works fine, just not the redirect.
                
> Redirect to TLS site via TLS proxy fails - incorrectly marked as insecure target route
> --------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1318
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1318
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.2.3
>         Environment: All
>            Reporter: Adam Fisk
>             Fix For: 4.2.4
>
>
> When configured to use a TLS proxy to a target site that is also TLS with a redirect
response, HttpClient will incorrectly create a new target route marked as http and insecure
rather than https and secure when generating the new request to the redirected location. This
will result in exceptions like the trace below with: 
> "Unable to establish route: planned = {}->https://localhost:7777->http://www.exceptional.io;
current = {s}->https://localhost:7777->http://www.exceptional.io"
> In fact, the test producing that exception is targeting https://www.exceptional.io not
http://www.exceptional.io, which is apparently correctly determined in the original request
but not in the redirected request. One candidate for the suspect code is line 1112 of handleResponse
in DefaultRequestDirector where the following line:
> HttpHost newTarget = URIUtils.extractHost(uri);
> creates a new target that is always HTTP regardless of whether or not the original target
was HTTPS, with havoc ensuing from there. This is reproducible in this test over at LittleProxy:
> https://github.com/adamfisk/LittleProxy/blob/master/src/test/java/org/littleshoot/proxy/EndToEndStoppingTest.java
> org.apache.http.client.ClientProtocolException
> 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:909)
> 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
> 	at org.littleshoot.proxy.EndToEndStoppingTest.runSiteTestWithHttpClient(EndToEndStoppingTest.java:167)
> 	at org.littleshoot.proxy.EndToEndStoppingTest.testWithHttpClient(EndToEndStoppingTest.java:92)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
> 	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
> 	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
> 	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
> 	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
> 	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
> 	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
> 	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
> 	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
> 	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
> 	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
> 	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
> 	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
> Caused by: org.apache.http.HttpException: Unable to establish route: planned = {}->https://localhost:7777->http://www.exceptional.io;
current = {s}->https://localhost:7777->http://www.exceptional.io
> 	at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:846)
> 	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:649)
> 	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
> 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> 	... 27 more

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message