hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Wachter <Stefan.Wach...@gmx.de>
Subject Re: implementation of a custom HttpRoutePlanner - how to choose the HttpRoute attributes (secure, tunnel type, and layer type)?
Date Fri, 27 Nov 2009 18:05:06 GMT
Hi Oleg,

your proposal "you need to mark the route as secure but the initial
connection to the proxy should be made via HTTP" does not work. If the
route is planned in such a way then an IllegalStateException is raised
(as I mentioned in my last post). This is caused by the logic
implemented in HttpClient that a secure route can not use an insecure
connection.

Can you please give me a hint how the SSL context of the application can
be configured correctly?

Why I want to implement a custom route planner: I have integrated
HttpClient into an (web) application framework to allow easy access to
the HTTP protocol. I do not like the standard jvm proxy mechanism
because it is configured virtual machine wide and the configuration must
be done on the command line or by setting system properties. Using a
configurable custom route planner just would better fit into the overall
structure. I did not expect that implementing a custom route planner
would be so difficult. In addition, I like the possibilities for
connection pooling that HttpClient offers. I thought that in order to
configure the pooling for routes it is best to determine the by myself.
Otherwise I must have a close look at the routes that are returned by
the "ProxySelectorRoutePlanner".

Thank you for your help,

--Stefan




Am 27.11.2009 17:17, schrieb Oleg Kalnichevski:
> Stefan Wachter wrote:
>> Hi Oleg,
>>
>> I still struggle with the implementation of my HttpRoutePlanner.
>>
>> I try to establish an HTTPS connection to a target host via a proxy. You
>> said that "usually the tunnel to the proxy is established using plain
>> HTTP". When I try to return a route where the first hop (the hop to the
>> proxy) is using HTTP then the secure flag of the route must not be
>> "true". If you try then the following exception is raised:
>>
>> java.lang.IllegalStateException: Unable to establish route.
>> planned = HttpRoute[{s}->http://localhost:8008->https://www.gmx.net]
>> current = HttpRoute[{}->http://localhost:8008->https://www.gmx.net]
>>
>> I tracked the reason down and found that the isSecure method of the
>> PlainSocketFactory always returns false. This means that if the proxy is
>> accessed using http then the route must not be flagged to be secure. You
>> said that if a route is flagged unsecure then "this will prevent
>> HttpClient from sending cookies marked as secure".
>>
>> To summarize: If I want to contact a target host via a proxy by https
>> and want to have cookies that are marked to be secure to be sent then I
>> have to use https to contact the proxy and mark the route as being
>> secure. Right?
>
> Yes, you need to mark the route as secure but the initial connection
> to the proxy should be made via HTTP. I have not come across an HTTP
> proxy that supported CONNECT method via HTTPS.
>
>>
>> In your last response you wrote, that for proxied https connections
>> TunnelType.TUNELLED and LayerType.LAYERED should be choosen. When I
>> return a route that uses https to access the proxy and the target host,
>> that has its secure flag set to true and that is tunneled and layered, I
>> get the following exception:
>>
>
> This problem has nothing to do with the route computation or even
> HttpClient at all. The SSL context used by your application has not
> been configured correctly.
>
>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>         at
>> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
>>
>>         at
>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
>>
>>         at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
>>
>>         at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
>>
>>         at
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
>>
>>         at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
>>
>>         at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
>>
>>         at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
>>
>>         at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
>>
>>         at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
>>
>>
>> What is going wrong here? Does it mean that the proxy host needs to have
>> a certifacate that is signed by a trusted certifaction authority?
>>
>
> I have no idea about expectations of your proxy host. Did CONNECT
> method succeed?
>
>> Next try: If I choose a route that uses http to access the proxy host
>> and https to access the target host and use TunnelType.PLAIN and
>> LayerType.PLAIN then the route works. 
>
> I suspect SSL/TLS is not being used in this case.
>
> The route should be marked as TunnelType.TUNELLED and
> LayerType.LAYERED and the SSL context of your application must be set
> up correctly.
>
> Why do you need a custom route planner in the first place?
>
> Oleg
>
>
> Yet, this route can not be marked
>> to be secure. This means that secure cookies are not sent!
>>
>> Thanks for you patience and help,
>>
>> --Stefan
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message