hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCORE-487) org.apache.http.nio.reactor.ssl.SSLIOSession and SSLNHttpClientConnectionFactory do not always use the HTTP host setting
Date Thu, 31 Aug 2017 14:22:00 GMT

    [ https://issues.apache.org/jira/browse/HTTPCORE-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16149045#comment-16149045
] 

ASF subversion and git services commented on HTTPCORE-487:
----------------------------------------------------------

Commit f12e09eb3cd3cc5dd45b2fcf4f3f81c03eb9d20b in httpcomponents-core's branch refs/heads/4.4.x
from [~olegk]
[ https://git-wip-us.apache.org/repos/asf?p=httpcomponents-core.git;h=f12e09e ]

[HTTPCORE-487] org.apache.http.nio.reactor.ssl.SSLIOSession and
SSLNHttpClientConnectionFactory do not always use the HTTP host setting.

> org.apache.http.nio.reactor.ssl.SSLIOSession and SSLNHttpClientConnectionFactory do not
always use the HTTP host setting
> ------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCORE-487
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-487
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore NIO
>    Affects Versions: 4.4.6
>            Reporter: Gary Gregory
>            Priority: Blocker
>         Attachments: httpcomponents-core-4.4.x.patch
>
>
> org.apache.http.nio.reactor.ssl.SSLIOSession does not always account for its host setting.
> Patch forthcoming.
> This shows up in the example {{NHttpReverseProxy}} app.
> From the dev ML where I wrote:
> {noformat}
> HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure 
> Inbox
> x 
> Gary Gregory <garydgregory@gmail.com>
> 2:57 PM (7 hours ago)
> to HttpComponents 
> Hi All:
> To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our example NHttpReverseProxy
with the command line arguments:
> https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy
> (with or without TrustSelfSignedStrategy)
> Then I get a handshake_failure trying to access it:
> $ curl http://localhost:33000/posts
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left  Speed
> 100    39  100    39    0     0     39      0  0:00:01 --:--:--  0:00:01   207Received
fatal alert: handshake_failure
> NHttpReverseProxy prints:
> Using TrustSelfSignedStrategy (not for production)
> Reverse proxy to https://jsonplaceholder.typicode.com:443
> [client->proxy] connection open 0:0:0:0:0:0:0:1:33000<->0:0:0:0:0:0:0:1:55252
> [client->proxy] 00000001 GET /posts HTTP/1.1
> [client->proxy] 00000001 request completed
> [proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443
> [proxy->origin] 00000001 GET /posts HTTP/1.1
> [proxy->origin] 00000001 request completed
> [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> [proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443
> [proxy->origin] [total kept alive: 0; total allocated: 0 of 100]
> [proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443
> [client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252
> HttpClient works fine with:
> public class HttpsClientSanityTest {
>     private void executeHttpsGetPosts(final CloseableHttpClient client) throws IOException,
ClientProtocolException {
>         try (final CloseableHttpResponse reponse = client.execute(new HttpGet("https://jsonplaceholder.typicode.com/posts")))
{
>             final String string = EntityUtils.toString(reponse.getEntity());
>             Assert.assertNotNull(string);
>             // System.out.println(string);
>         }
>     }
>     @Test
>     public void test_typicode_com() throws KeyManagementException, NoSuchAlgorithmException,
ClientProtocolException, IOException {
>         try (final CloseableHttpClient client = HttpClients.createDefault()) {
>             executeHttpsGetPosts(client);
>         }
>     }
> }
> curl works fine with 'curl https://jsonplaceholder.typicode.com/posts' and returns a
JSON document.
> Any hints as to what is missing from NHttpReverseProxy?
> Thank you,
> Gary
> Gary Gregory <garydgregory@gmail.com>
> 3:19 PM (7 hours ago)
> to HttpComponents 
> I should add that I am running the latest Oracle Java 8 on Windows 10.
> Gary Gregory <garydgregory@gmail.com>
> 10:17 PM (21 minutes ago)
> to HttpComponents 
> If I set -Djavax.net.debug=all in the proxy I see:
> RandomCookie:  GMT: 1487308723 bytes = { 46, 102, 239, 247, 53, 87, 164, 146, 197, 44,
72, 95, 153, 58, 9, 22, 138, 176, 137, 76, 196, 163, 34, 95, 220, 87, 105, 237 }
> Session ID:  {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods:  { 0 }
> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1,
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA,
SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
> ***
> [write] MD5 and SHA1 hashes:  len = 161
> 0000: 01 00 00 9D 03 03 59 A7   88 B3 2E 66 EF F7 35 57  ......Y....f..5W
> 0010: A4 92 C5 2C 48 5F 99 3A   09 16 8A B0 89 4C C4 A3  ...,H_.:.....L..
> 0020: 22 5F DC 57 69 ED 00 00   3A C0 23 C0 27 00 3C C0  "_.Wi...:.#.'.<.
> 0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
> 0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
> 0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
> 0060: 13 00 FF 01 00 00 3A 00   0A 00 16 00 14 00 17 00  ......:.........
> 0070: 18 00 19 00 09 00 0A 00   0B 00 0C 00 0D 00 0E 00  ................
> 0080: 16 00 0B 00 02 01 00 00   0D 00 16 00 14 06 03 06  ................
> 0090: 01 05 03 05 01 04 03 04   01 04 02 02 03 02 01 02  ................
> 00A0: 02                                                 .
> I/O dispatcher 1, WRITE: TLSv1.2 Handshake, length = 161
> [Raw write]: length = 166
> 0000: 16 03 03 00 A1 01 00 00   9D 03 03 59 A7 88 B3 2E  ...........Y....
> 0010: 66 EF F7 35 57 A4 92 C5   2C 48 5F 99 3A 09 16 8A  f..5W...,H_.:...
> 0020: B0 89 4C C4 A3 22 5F DC   57 69 ED 00 00 3A C0 23  ..L.."_.Wi...:.#
> 0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
> 0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
> 0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
> 0060: C0 0D 00 16 00 13 00 FF   01 00 00 3A 00 0A 00 16  ...........:....
> 0070: 00 14 00 17 00 18 00 19   00 09 00 0A 00 0B 00 0C  ................
> 0080: 00 0D 00 0E 00 16 00 0B   00 02 01 00 00 0D 00 16  ................
> 0090: 00 14 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
> 00A0: 02 03 02 01 02 02                                  ......
> [Raw read]: length = 5
> 0000: 15 03 01 00 02                                     .....
> [Raw read]: length = 2
> 0000: 02 28                                              .(
> I/O dispatcher 1, READ: TLSv1 Alert, length = 2
> I/O dispatcher 1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
> I/O dispatcher 1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException:
Received fatal alert: handshake_failure
> I/O dispatcher 1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException:
Received fatal alert: handshake_failure
> [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> But, with the HttpClient, there is more data in the hex dumps which include the origin
server name and other bits:
> %% No cached client session
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: 1487308648 bytes = { 223, 57, 250, 125, 154, 123, 122, 30, 110, 58,
163, 142, 215, 41, 230, 164, 96, 33, 206, 68, 84, 216, 191, 149, 12, 79, 94, 143 }
> Session ID:  {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods:  { 0 }
> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1,
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA,
SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
> Extension server_name, server_name: [type=host_name (0), value=jsonplaceholder.typicode.com]
> ***
> [write] MD5 and SHA1 hashes:  len = 198
> 0000: 01 00 00 C2 03 03 59 A7   87 68 DF 39 FA 7D 9A 7B  ......Y..h.9....
> 0010: 7A 1E 6E 3A A3 8E D7 29   E6 A4 60 21 CE 44 54 D8  z.n:...)..`!.DT.
> 0020: BF 95 0C 4F 5E 8F 00 00   3A C0 23 C0 27 00 3C C0  ...O^...:.#.'.<.
> 0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
> 0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
> 0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
> 0060: 13 00 FF 01 00 00 5F 00   0A 00 16 00 14 00 17 00  ......_.........
> 0070: 18 00 19 00 09 00 0A 00   0B 00 0C 00 0D 00 0E 00  ................
> 0080: 16 00 0B 00 02 01 00 00   0D 00 16 00 14 06 03 06  ................
> 0090: 01 05 03 05 01 04 03 04   01 04 02 02 03 02 01 02  ................
> 00A0: 02 00 00 00 21 00 1F 00   00 1C 6A 73 6F 6E 70 6C  ....!.....jsonpl
> 00B0: 61 63 65 68 6F 6C 64 65   72 2E 74 79 70 69 63 6F  aceholder.typico
> 00C0: 64 65 2E 63 6F 6D                                  de.com
> main, WRITE: TLSv1.2 Handshake, length = 198
> [Raw write]: length = 203
> 0000: 16 03 03 00 C6 01 00 00   C2 03 03 59 A7 87 68 DF  ...........Y..h.
> 0010: 39 FA 7D 9A 7B 7A 1E 6E   3A A3 8E D7 29 E6 A4 60  9....z.n:...)..`
> 0020: 21 CE 44 54 D8 BF 95 0C   4F 5E 8F 00 00 3A C0 23  !.DT....O^...:.#
> 0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
> 0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
> 0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
> 0060: C0 0D 00 16 00 13 00 FF   01 00 00 5F 00 0A 00 16  ..........._....
> 0070: 00 14 00 17 00 18 00 19   00 09 00 0A 00 0B 00 0C  ................
> 0080: 00 0D 00 0E 00 16 00 0B   00 02 01 00 00 0D 00 16  ................
> 0090: 00 14 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
> 00A0: 02 03 02 01 02 02 00 00   00 21 00 1F 00 00 1C 6A  .........!.....j
> 00B0: 73 6F 6E 70 6C 61 63 65   68 6F 6C 64 65 72 2E 74  sonplaceholder.t
> 00C0: 79 70 69 63 6F 64 65 2E   63 6F 6D                 ypicode.com
> [Raw read]: length = 5
> 0000: 16 03 03 00 5B                                     ....[
> [Raw read]: length = 91
> 0000: 02 00 00 57 03 03 59 A7   87 68 0C 1A D3 15 C5 F5  ...W..Y..h......
> 0010: 11 F2 26 9B 0B 61 99 90   4F 45 F3 CA B0 54 90 B0  ..&..a..OE...T..
> 0020: 34 87 B6 1D 93 FA 20 24   C7 1D BA C2 8B C8 3C 33  4..... $......<3
> 0030: 4F 76 CB C5 DE C3 A4 FF   F5 6A 6A D8 65 CD 46 81  Ov.......jj.e.F.
> 0040: 39 EC D7 3F 7F 84 D9 C0   2B 00 00 0F FF 01 00 01  9..?....+.......
> 0050: 00 00 00 00 00 00 0B 00   02 01 00                 ...........
> main, READ: TLSv1.2 Handshake, length = 91
> *** ServerHello, TLSv1.2
> RandomCookie:  GMT: 1487308648 bytes = { 12, 26, 211, 21, 197, 245, 17, 242, 38, 155,
11, 97, 153, 144, 79, 69, 243, 202, 176, 84, 144, 176, 52, 135, 182, 29, 147, 250 }
> Session ID:  {36, 199, 29, 186, 194, 139, 200, 60, 51, 79, 118, 203, 197, 222, 195, 164,
255, 245, 106, 106, 216, 101, 205, 70, 129, 57, 236, 215, 63, 127, 132, 217}
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> Compression Method: 0
> Extension renegotiation_info, renegotiated_connection: <empty>
> Extension server_name, server_name: 
> Extension ec_point_formats, formats: [uncompressed]
> ***
> %% Initialized:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
> ** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> Why doesn't HttpCore include these extra bits?
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message