hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Gregory (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCORE-487) org.apache.http.nio.reactor.ssl.SSLIOSession does not always account for its host setting
Date Thu, 31 Aug 2017 04:41:00 GMT
Gary Gregory created HTTPCORE-487:
-------------------------------------

             Summary: org.apache.http.nio.reactor.ssl.SSLIOSession does not always account
for its host setting
                 Key: HTTPCORE-487
                 URL: https://issues.apache.org/jira/browse/HTTPCORE-487
             Project: HttpComponents HttpCore
          Issue Type: Bug
          Components: HttpCore NIO
    Affects Versions: 4.4.6
            Reporter: Gary Gregory


org.apache.http.nio.reactor.ssl.SSLIOSession does not always account for its host setting.

Patch forthcoming.

This shows up in the example {{NHttpReverseProxy}} app.

>From the dev ML where I wrote:

{noformat}
HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure 
Inbox
x 

Gary Gregory <garydgregory@gmail.com>
2:57 PM (7 hours ago)

to HttpComponents 
Hi All:

To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our example NHttpReverseProxy
with the command line arguments:

https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy

(with or without TrustSelfSignedStrategy)

Then I get a handshake_failure trying to access it:

$ curl http://localhost:33000/posts
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    39  100    39    0     0     39      0  0:00:01 --:--:--  0:00:01   207Received fatal
alert: handshake_failure

NHttpReverseProxy prints:

Using TrustSelfSignedStrategy (not for production)
Reverse proxy to https://jsonplaceholder.typicode.com:443
[client->proxy] connection open 0:0:0:0:0:0:0:1:33000<->0:0:0:0:0:0:0:1:55252
[client->proxy] 00000001 GET /posts HTTP/1.1
[client->proxy] 00000001 request completed
[proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443
[proxy->origin] 00000001 GET /posts HTTP/1.1
[proxy->origin] 00000001 request completed
[client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: handshake_failure
[proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443
[proxy->origin] [total kept alive: 0; total allocated: 0 of 100]
[proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443
[client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252

HttpClient works fine with:

public class HttpsClientSanityTest {

    private void executeHttpsGetPosts(final CloseableHttpClient client) throws IOException,
ClientProtocolException {
        try (final CloseableHttpResponse reponse = client.execute(new HttpGet("https://jsonplaceholder.typicode.com/posts")))
{
            final String string = EntityUtils.toString(reponse.getEntity());
            Assert.assertNotNull(string);
            // System.out.println(string);
        }
    }

    @Test
    public void test_typicode_com() throws KeyManagementException, NoSuchAlgorithmException,
ClientProtocolException, IOException {
        try (final CloseableHttpClient client = HttpClients.createDefault()) {
            executeHttpsGetPosts(client);
        }
    }
}

curl works fine with 'curl https://jsonplaceholder.typicode.com/posts' and returns a JSON
document.

Any hints as to what is missing from NHttpReverseProxy?

Thank you,
Gary

Gary Gregory <garydgregory@gmail.com>
3:19 PM (7 hours ago)

to HttpComponents 
I should add that I am running the latest Oracle Java 8 on Windows 10.


Gary Gregory <garydgregory@gmail.com>
10:17 PM (21 minutes ago)

to HttpComponents 
If I set -Djavax.net.debug=all in the proxy I see:

RandomCookie:  GMT: 1487308723 bytes = { 46, 102, 239, 247, 53, 87, 164, 146, 197, 44, 72,
95, 153, 58, 9, 22, 138, 176, 137, 76, 196, 163, 34, 95, 220, 87, 105, 237 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1,
sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA,
SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA,
SHA1withDSA
***
[write] MD5 and SHA1 hashes:  len = 161
0000: 01 00 00 9D 03 03 59 A7   88 B3 2E 66 EF F7 35 57  ......Y....f..5W
0010: A4 92 C5 2C 48 5F 99 3A   09 16 8A B0 89 4C C4 A3  ...,H_.:.....L..
0020: 22 5F DC 57 69 ED 00 00   3A C0 23 C0 27 00 3C C0  "_.Wi...:.#.'.<.
0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
0060: 13 00 FF 01 00 00 3A 00   0A 00 16 00 14 00 17 00  ......:.........
0070: 18 00 19 00 09 00 0A 00   0B 00 0C 00 0D 00 0E 00  ................
0080: 16 00 0B 00 02 01 00 00   0D 00 16 00 14 06 03 06  ................
0090: 01 05 03 05 01 04 03 04   01 04 02 02 03 02 01 02  ................
00A0: 02                                                 .
I/O dispatcher 1, WRITE: TLSv1.2 Handshake, length = 161
[Raw write]: length = 166
0000: 16 03 03 00 A1 01 00 00   9D 03 03 59 A7 88 B3 2E  ...........Y....
0010: 66 EF F7 35 57 A4 92 C5   2C 48 5F 99 3A 09 16 8A  f..5W...,H_.:...
0020: B0 89 4C C4 A3 22 5F DC   57 69 ED 00 00 3A C0 23  ..L.."_.Wi...:.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
0060: C0 0D 00 16 00 13 00 FF   01 00 00 3A 00 0A 00 16  ...........:....
0070: 00 14 00 17 00 18 00 19   00 09 00 0A 00 0B 00 0C  ................
0080: 00 0D 00 0E 00 16 00 0B   00 02 01 00 00 0D 00 16  ................
0090: 00 14 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
00A0: 02 03 02 01 02 02                                  ......
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
I/O dispatcher 1, READ: TLSv1 Alert, length = 2
I/O dispatcher 1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
I/O dispatcher 1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received
fatal alert: handshake_failure
I/O dispatcher 1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received
fatal alert: handshake_failure
[client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: handshake_failure

But, with the HttpClient, there is more data in the hex dumps which include the origin server
name and other bits:

%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1487308648 bytes = { 223, 57, 250, 125, 154, 123, 122, 30, 110, 58, 163,
142, 215, 41, 230, 164, 96, 33, 206, 68, 84, 216, 191, 149, 12, 79, 94, 143 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1,
sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA,
SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA,
SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=jsonplaceholder.typicode.com]
***
[write] MD5 and SHA1 hashes:  len = 198
0000: 01 00 00 C2 03 03 59 A7   87 68 DF 39 FA 7D 9A 7B  ......Y..h.9....
0010: 7A 1E 6E 3A A3 8E D7 29   E6 A4 60 21 CE 44 54 D8  z.n:...)..`!.DT.
0020: BF 95 0C 4F 5E 8F 00 00   3A C0 23 C0 27 00 3C C0  ...O^...:.#.'.<.
0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
0060: 13 00 FF 01 00 00 5F 00   0A 00 16 00 14 00 17 00  ......_.........
0070: 18 00 19 00 09 00 0A 00   0B 00 0C 00 0D 00 0E 00  ................
0080: 16 00 0B 00 02 01 00 00   0D 00 16 00 14 06 03 06  ................
0090: 01 05 03 05 01 04 03 04   01 04 02 02 03 02 01 02  ................
00A0: 02 00 00 00 21 00 1F 00   00 1C 6A 73 6F 6E 70 6C  ....!.....jsonpl
00B0: 61 63 65 68 6F 6C 64 65   72 2E 74 79 70 69 63 6F  aceholder.typico
00C0: 64 65 2E 63 6F 6D                                  de.com
main, WRITE: TLSv1.2 Handshake, length = 198
[Raw write]: length = 203
0000: 16 03 03 00 C6 01 00 00   C2 03 03 59 A7 87 68 DF  ...........Y..h.
0010: 39 FA 7D 9A 7B 7A 1E 6E   3A A3 8E D7 29 E6 A4 60  9....z.n:...)..`
0020: 21 CE 44 54 D8 BF 95 0C   4F 5E 8F 00 00 3A C0 23  !.DT....O^...:.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
0060: C0 0D 00 16 00 13 00 FF   01 00 00 5F 00 0A 00 16  ..........._....
0070: 00 14 00 17 00 18 00 19   00 09 00 0A 00 0B 00 0C  ................
0080: 00 0D 00 0E 00 16 00 0B   00 02 01 00 00 0D 00 16  ................
0090: 00 14 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
00A0: 02 03 02 01 02 02 00 00   00 21 00 1F 00 00 1C 6A  .........!.....j
00B0: 73 6F 6E 70 6C 61 63 65   68 6F 6C 64 65 72 2E 74  sonplaceholder.t
00C0: 79 70 69 63 6F 64 65 2E   63 6F 6D                 ypicode.com
[Raw read]: length = 5
0000: 16 03 03 00 5B                                     ....[
[Raw read]: length = 91
0000: 02 00 00 57 03 03 59 A7   87 68 0C 1A D3 15 C5 F5  ...W..Y..h......
0010: 11 F2 26 9B 0B 61 99 90   4F 45 F3 CA B0 54 90 B0  ..&..a..OE...T..
0020: 34 87 B6 1D 93 FA 20 24   C7 1D BA C2 8B C8 3C 33  4..... $......<3
0030: 4F 76 CB C5 DE C3 A4 FF   F5 6A 6A D8 65 CD 46 81  Ov.......jj.e.F.
0040: 39 EC D7 3F 7F 84 D9 C0   2B 00 00 0F FF 01 00 01  9..?....+.......
0050: 00 00 00 00 00 00 0B 00   02 01 00                 ...........
main, READ: TLSv1.2 Handshake, length = 91
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1487308648 bytes = { 12, 26, 211, 21, 197, 245, 17, 242, 38, 155, 11,
97, 153, 144, 79, 69, 243, 202, 176, 84, 144, 176, 52, 135, 182, 29, 147, 250 }
Session ID:  {36, 199, 29, 186, 194, 139, 200, 60, 51, 79, 118, 203, 197, 222, 195, 164, 255,
245, 106, 106, 216, 101, 205, 70, 129, 57, 236, 215, 63, 127, 132, 217}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Why doesn't HttpCore include these extra bits?
{noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message