hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Wachter <Stefan.Wach...@gmx.de>
Subject Re: implementation of a custom HttpRoutePlanner - how to choose the HttpRoute attributes (secure, tunnel type, and layer type)?
Date Tue, 01 Dec 2009 10:06:51 GMT
Hi Oleg,

I am sorry for bothering you. I think I understand now. In order to have
an https connection to a target host via a proxy the proxy is accessed
by http marking the route as being secure, tunneled, and layered. Thank
your for making this clear to me.

This leaves me with the SSLPeerUnverifiedException. I switched on SSL
debugging by setting "-Djavax.net.debug=all". From the log it seems that
the problem is caused by the certificate that the proxy server uses. In
a former post you asked if the CONNECT succeedes. As far as I can
interpret the log it seems that the CONNECT fails. The target host I
want to reach (https://www.gmx.net) does not appear in the log at all.

I do not understand why the certificate of the proxy does matter. After
all the connection to the proxy should be done by http.

(BTW: If I use the proxy by a browser I can access the target host
https://www.gmx.net.)

Please give me some more insight!

Cheers,
--Stefan

PS: Here is the SSL log. I omitted the first lines where lots of trusted
certificates are added.

trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1259594434 bytes = { 144, 54, 189, 212, 62, 102,
138, 185, 38, 230, 7, 52, 13, 207, 145, 184, 13, 57, 218, 226, 136, 55,
186, 251, 156, 165, 39, 22 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 73
0000: 01 00 00 45 03 01 4B 14   E3 C2 90 36 BD D4 3E 66  ...E..K....6..>f
0010: 8A B9 26 E6 07 34 0D CF   91 B8 0D 39 DA E2 88 37  ..&..4.....9...7
0020: BA FB 9C A5 27 16 00 00   1E 00 04 00 05 00 2F 00  ....'........./.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 01   00                       .........
main, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes:  len = 98
0000: 01 03 01 00 39 00 00 00   20 00 00 04 01 00 80 00  ....9... .......
0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
0040: 00 11 4B 14 E3 C2 90 36   BD D4 3E 66 8A B9 26 E6  ..K....6..>f..&.
0050: 07 34 0D CF 91 B8 0D 39   DA E2 88 37 BA FB 9C A5  .4.....9...7....
0060: 27 16                                              '.
main, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
0000: 80 62 01 03 01 00 39 00   00 00 20 00 00 04 01 00  .b....9... .....
0010: 80 00 00 05 00 00 2F 00   00 33 00 00 32 00 00 0A  ....../..3..2...
0020: 07 00 C0 00 00 16 00 00   13 00 00 09 06 00 40 00  ..............@.
0030: 00 15 00 00 12 00 00 03   02 00 80 00 00 08 00 00  ................
0040: 14 00 00 11 4B 14 E3 C2   90 36 BD D4 3E 66 8A B9  ....K....6..>f..
0050: 26 E6 07 34 0D CF 91 B8   0D 39 DA E2 88 37 BA FB  &..4.....9...7..
0060: 9C A5 27 16                                        ..'.
[Raw read]: length = 5
0000: 16 03 01 04 83                                     .....
[Raw read]: length = 1155
0000: 02 00 00 46 03 01 4B 14   E3 C2 F3 E4 D8 B2 48 6E  ...F..K.......Hn
0010: 51 05 23 76 2F 55 5C C5   52 68 83 E6 A4 F4 5D 54  Q.#v/U\.Rh....]T
0020: 25 7E 0B 81 43 5C 20 4B   14 E3 C2 AB 2C B9 71 CE  %...C\ K....,.q.
0030: 7F 91 71 7C 34 6B 54 33   F2 CE 72 58 6C 16 78 DE  ..q.4kT3..rXl.x.
0040: A7 14 AE 3F D5 16 A9 00   04 00 0B 00 04 31 00 04  ...?.........1..
0050: 2E 00 04 2B 30 82 04 27   30 82 03 90 A0 03 02 01  ...+0..'0.......
0060: 02 02 01 00 30 0D 06 09   2A 86 48 86 F7 0D 01 01  ....0...*.H.....
0070: 05 05 00 30 81 C4 31 0B   30 09 06 03 55 04 06 13  ...0..1.0...U...
0080: 02 5A 41 31 10 30 0E 06   03 55 04 08 13 07 47 61  .ZA1.0...U....Ga
0090: 75 74 65 6E 67 31 15 30   13 06 03 55 04 07 13 0C  uteng1.0...U....
00A0: 4A 6F 68 61 6E 6E 65 73   62 75 72 67 31 2E 30 2C  Johannesburg1.0,
00B0: 06 03 55 04 0A 13 25 4F   70 65 6E 20 57 65 62 20  ..U...%Open Web
00C0: 41 70 70 6C 69 63 61 74   69 6F 6E 20 53 65 63 75  Application Secu
00D0: 72 69 74 79 20 50 72 6F   6A 65 63 74 31 12 30 10  rity Project1.0.
00E0: 06 03 55 04 0B 13 09 57   65 62 53 63 61 72 61 62  ..U....WebScarab
00F0: 31 12 30 10 06 03 55 04   03 13 09 57 65 62 53 63  1.0...U....WebSc
0100: 61 72 61 62 31 34 30 32   06 09 2A 86 48 86 F7 0D  arab1402..*.H...
0110: 01 09 01 16 25 6F 77 61   73 70 2D 77 65 62 73 63  ....%owasp-websc
0120: 61 72 61 62 40 6C 69 73   74 73 2E 73 6F 75 72 63  arab@lists.sourc
0130: 65 66 6F 72 67 65 2E 6E   65 74 30 1E 17 0D 30 34  eforge.net0...04
0140: 30 34 30 31 31 32 34 35   35 39 5A 17 0D 31 34 30  0401124559Z..140
0150: 33 33 30 31 32 34 35 35   39 5A 30 81 C4 31 0B 30  330124559Z0..1.0
0160: 09 06 03 55 04 06 13 02   5A 41 31 10 30 0E 06 03  ...U....ZA1.0...
0170: 55 04 08 13 07 47 61 75   74 65 6E 67 31 15 30 13  U....Gauteng1.0.
0180: 06 03 55 04 07 13 0C 4A   6F 68 61 6E 6E 65 73 62  ..U....Johannesb
0190: 75 72 67 31 2E 30 2C 06   03 55 04 0A 13 25 4F 70  urg1.0,..U...%Op
01A0: 65 6E 20 57 65 62 20 41   70 70 6C 69 63 61 74 69  en Web Applicati
01B0: 6F 6E 20 53 65 63 75 72   69 74 79 20 50 72 6F 6A  on Security Proj
01C0: 65 63 74 31 12 30 10 06   03 55 04 0B 13 09 57 65  ect1.0...U....We
01D0: 62 53 63 61 72 61 62 31   12 30 10 06 03 55 04 03  bScarab1.0...U..
01E0: 13 09 57 65 62 53 63 61   72 61 62 31 34 30 32 06  ..WebScarab1402.
01F0: 09 2A 86 48 86 F7 0D 01   09 01 16 25 6F 77 61 73  .*.H.......%owas
0200: 70 2D 77 65 62 73 63 61   72 61 62 40 6C 69 73 74  p-webscarab@list
0210: 73 2E 73 6F 75 72 63 65   66 6F 72 67 65 2E 6E 65  s.sourceforge.ne
0220: 74 30 81 9F 30 0D 06 09   2A 86 48 86 F7 0D 01 01  t0..0...*.H.....
0230: 01 05 00 03 81 8D 00 30   81 89 02 81 81 00 DC 31  .......0.......1
0240: 1C 1A 40 A4 06 BF 67 5E   53 63 84 F6 4B CE 26 F5  ..@...g^Sc..K.&.
0250: B4 4F 8D 26 B2 A7 C0 80   DB 7F 3F AF 33 DF 8A 2F  .O.&......?.3../
0260: F7 E6 D7 B0 37 2A 0B 73   15 7C 7B D4 11 BA 2B 0A  ....7*.s......+.
0270: 54 64 13 8B F5 A9 7F 6D   9E B4 5D 7E 6A 31 BF 2C  Td.....m..].j1.,
0280: DC E6 C1 92 A9 C4 EF 5E   FB 7D B0 CF 8A C6 A7 FB  .......^........
0290: C7 B4 E1 26 62 A3 4C C5   C2 78 29 1F AC 44 C2 98  ...&b.L..x)..D..
02A0: 34 00 08 FC C1 5D D2 22   42 AA E4 1E 7B 03 25 4F  4....]."B.....%O
02B0: FA EA 2D DF 7C C6 1B C2   F6 E3 EB C5 7F FD 02 03  ..-.............
02C0: 01 00 01 A3 82 01 25 30   82 01 21 30 1D 06 03 55  ......%0..!0...U
02D0: 1D 0E 04 16 04 14 C5 2E   DC 77 1B 2D 4B A5 C9 F7  .........w.-K...
02E0: 79 E9 26 38 5C D2 3B C5   46 88 30 81 F1 06 03 55  y.&8\.;.F.0....U
02F0: 1D 23 04 81 E9 30 81 E6   80 14 C5 2E DC 77 1B 2D  .#...0.......w.-
0300: 4B A5 C9 F7 79 E9 26 38   5C D2 3B C5 46 88 A1 81  K...y.&8\.;.F...
0310: CA A4 81 C7 30 81 C4 31   0B 30 09 06 03 55 04 06  ....0..1.0...U..
0320: 13 02 5A 41 31 10 30 0E   06 03 55 04 08 13 07 47  ..ZA1.0...U....G
0330: 61 75 74 65 6E 67 31 15   30 13 06 03 55 04 07 13  auteng1.0...U...
0340: 0C 4A 6F 68 61 6E 6E 65   73 62 75 72 67 31 2E 30  .Johannesburg1.0
0350: 2C 06 03 55 04 0A 13 25   4F 70 65 6E 20 57 65 62  ,..U...%Open Web
0360: 20 41 70 70 6C 69 63 61   74 69 6F 6E 20 53 65 63   Application Sec
0370: 75 72 69 74 79 20 50 72   6F 6A 65 63 74 31 12 30  urity Project1.0
0380: 10 06 03 55 04 0B 13 09   57 65 62 53 63 61 72 61  ...U....WebScara
0390: 62 31 12 30 10 06 03 55   04 03 13 09 57 65 62 53  b1.0...U....WebS
03A0: 63 61 72 61 62 31 34 30   32 06 09 2A 86 48 86 F7  carab1402..*.H..
03B0: 0D 01 09 01 16 25 6F 77   61 73 70 2D 77 65 62 73  .....%owasp-webs
03C0: 63 61 72 61 62 40 6C 69   73 74 73 2E 73 6F 75 72  carab@lists.sour
03D0: 63 65 66 6F 72 67 65 2E   6E 65 74 82 01 00 30 0C  ceforge.net...0.
03E0: 06 03 55 1D 13 04 05 30   03 01 01 FF 30 0D 06 09  ..U....0....0...
03F0: 2A 86 48 86 F7 0D 01 01   05 05 00 03 81 81 00 90  *.H.............
0400: 7B 76 CF 64 A1 45 DF FC   A7 64 F7 1E 7F E9 A7 B0  .v.d.E...d......
0410: EF 3D 3C A2 41 8B 92 9C   BA C4 E6 7B 1F B1 3D 13  .=<.A.........=.
0420: 07 7B F4 A5 1E BC C9 96   9A D2 13 2D D4 7D 8F CB  ...........-....
0430: D9 08 E9 83 E7 90 00 E7   F5 3E 70 3A BD 57 4D AB  .........>p:.WM.
0440: 00 AC E1 CE 85 58 3B 5B   73 56 E8 B6 29 BE 99 E5  .....X;[sV..)...
0450: 91 65 67 B3 20 3A 9F D4   53 A1 D0 43 C6 97 62 BF  .eg. :..S..C..b.
0460: D4 1A 0B 92 45 FC 04 A1   1F 79 2F F2 90 35 DA 80  ....E....y/..5..
0470: DE FE 10 B9 68 B8 70 3E   DB F7 12 01 CB D3 64 0E  ....h.p>......d.
0480: 00 00 00                                           ...
main, READ: TLSv1 Handshake, length = 1155
*** ServerHello, TLSv1
RandomCookie:  GMT: 1259594434 bytes = { 243, 228, 216, 178, 72, 110,
81, 5, 35, 118, 47, 85, 92, 197, 82, 104, 131, 230, 164, 244, 93, 84,
37, 126, 11, 129, 67, 92 }
Session ID:  {75, 20, 227, 194, 171, 44, 185, 113, 206, 127, 145, 113,
124, 52, 107, 84, 51, 242, 206, 114, 88, 108, 22, 120, 222, 167, 20,
174, 63, 213, 22, 169}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes:  len = 74
0000: 02 00 00 46 03 01 4B 14   E3 C2 F3 E4 D8 B2 48 6E  ...F..K.......Hn
0010: 51 05 23 76 2F 55 5C C5   52 68 83 E6 A4 F4 5D 54  Q.#v/U\.Rh....]T
0020: 25 7E 0B 81 43 5C 20 4B   14 E3 C2 AB 2C B9 71 CE  %...C\ K....,.q.
0030: 7F 91 71 7C 34 6B 54 33   F2 CE 72 58 6C 16 78 DE  ..q.4kT3..rXl.x.
0040: A7 14 AE 3F D5 16 A9 00   04 00                    ...?......
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
L=Johannesburg, ST=Gauteng, C=ZA
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus:
154623964938145369797219612839395417706134608433089443549809415871369366723673817041648156759869165956480706191296755342245066633311162904277499876116164772710364652941103434840470861083851860427495958630646686012271912459851197852364216947956958537100938424770176632556183958666972394630932757389391348203517
  public exponent: 65537
  Validity: [From: Thu Apr 01 14:45:59 CEST 2004,
               To: Sun Mar 30 14:45:59 CEST 2014]
  Issuer: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
L=Johannesburg, ST=Gauteng, C=ZA
  SerialNumber: [    00]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C5 2E DC 77 1B 2D 4B A5   C9 F7 79 E9 26 38 5C D2  ...w.-K...y.&8\.
0010: 3B C5 46 88                                        ;.F.
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5 2E DC 77 1B 2D 4B A5   C9 F7 79 E9 26 38 5C D2  ...w.-K...y.&8\.
0010: 3B C5 46 88                                        ;.F.
]

[EMAILADDRESS=owasp-webscarab@lists.sourceforge.net, CN=WebScarab,
OU=WebScarab, O=Open Web Application Security Project, L=Johannesburg,
ST=Gauteng, C=ZA]
SerialNumber: [    00]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 90 7B 76 CF 64 A1 45 DF   FC A7 64 F7 1E 7F E9 A7  ..v.d.E...d.....
0010: B0 EF 3D 3C A2 41 8B 92   9C BA C4 E6 7B 1F B1 3D  ..=<.A.........=
0020: 13 07 7B F4 A5 1E BC C9   96 9A D2 13 2D D4 7D 8F  ............-...
0030: CB D9 08 E9 83 E7 90 00   E7 F5 3E 70 3A BD 57 4D  ..........>p:.WM
0040: AB 00 AC E1 CE 85 58 3B   5B 73 56 E8 B6 29 BE 99  ......X;[sV..)..
0050: E5 91 65 67 B3 20 3A 9F   D4 53 A1 D0 43 C6 97 62  ..eg. :..S..C..b
0060: BF D4 1A 0B 92 45 FC 04   A1 1F 79 2F F2 90 35 DA  .....E....y/..5.
0070: 80 DE FE 10 B9 68 B8 70   3E DB F7 12 01 CB D3 64  .....h.p>......d

]
***
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E                               .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated
        at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
        at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
        at
org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399)
        at
org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:167)
        at
org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:275)
        at
org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:122)
        at
org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:668)
        at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:385)
        at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
        at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
        at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
        at httpclienttest.Main.main(Main.java:57)


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message