hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pasi Eronen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HTTPCLIENT-1346) SSL handshake exceptions are hidden from application
Date Tue, 23 Apr 2013 13:31:15 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Pasi Eronen updated HTTPCLIENT-1346:

    Attachment: httpclient-1346-for-4.3-alpha1.patch

I've attached patches against both 4.2.3 and 4.3-alpha1. (And fully agree about behavior of
> SSL handshake exceptions are hidden from application
> ----------------------------------------------------
>                 Key: HTTPCLIENT-1346
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1346
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.2.3
>            Reporter: Pasi Eronen
>             Fix For: 4.2.6
>         Attachments: httpclient-1346-for-4.2.3.patch, httpclient-1346-for-4.3-alpha1.patch
> When the SSL handshake fails for some reason,  (e.g. TCP connection reset, socket read
timeout, no common cipher suite found, expired certificate, untrusted certificate, server
sends non-SSL garbage, etc.), all the application sees is "javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated" (without any cause chain). This is rather unhelpful for troubleshooting
SSL errors.
> According to the SSLSocket Javadocs, the SSL handshake can be initiated in three ways:
calling startHandshake(), attempting to read or write data, or calling getSession(). The first
two of these throw appropriate exceptions on failure (usually with cause chains indicating
the root  cause), while the third just returns a special session handshake with invalid ciphersuite
SSL_NULL_WITH_NULL_NULL (and the actual cause of handshake failure is lost).
> Currently org.apache.http.conn.ssl.SSLSocketFactory uses the third approach (and does
not even check for the invalid ciphersuite).
> Proposed fix: add call "sslsock.startHandshake();" after call to prepareSocket but before
hostnameVerifier (which calls getSession). This requires also one-line change to TestSSLSocketFactory.java
(change SSLPeerUnverifiedException to SSLHandshakeException).
> I tested this fix with five different cases (TCP connection reset, socket read timeout,
expired certificate, self-signed certificate, and non-SSL server), and in all five cases,
I now get a reasonably correct exception text (and a cause chain).

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message