Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5332FEA49 for ; Mon, 25 Feb 2013 10:43:13 +0000 (UTC) Received: (qmail 9842 invoked by uid 500); 25 Feb 2013 10:43:13 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 9575 invoked by uid 500); 25 Feb 2013 10:43:09 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 9546 invoked by uid 99); 25 Feb 2013 10:43:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Feb 2013 10:43:08 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [217.150.250.48] (HELO kalnich.nine.ch) (217.150.250.48) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Feb 2013 10:43:01 +0000 Received: from [192.168.1.121] (77-57-197-206.dclient.hispeed.ch [77.57.197.206]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by kalnich.nine.ch (Postfix) with ESMTPSA id 27BCCB80179 for ; Mon, 25 Feb 2013 11:42:41 +0100 (CET) Message-ID: <1361788960.16089.2.camel@ubuntu> Subject: Re: HttpRoutePlanner - How does it work with an HTTPS Proxy From: Oleg Kalnichevski To: HttpClient User Discussion Date: Mon, 25 Feb 2013 11:42:40 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.2-0ubuntu0.1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Sun, 2013-02-24 at 08:02 +0530, Sivasubramaniam Sivakumar wrote: > Hi, > > I have an HTTPS proxy set up so that HTTP clients can send plain HTTP > requests securely to the proxy. For example, a client can send an encrypted > HTTP GET request to the proxy, which will remove the encryption and send > the plain HTTP GET request to the end-site. > > I learned that this is not a common set up and only Google Chrome has > in-built features to support such a scenario. (Info here - > http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection). > I have made Google Chrome work with my HTTPS proxy and hence there is no > trouble on the proxy side. > > I wish to write an HTTP Client that will encrypt all requests to my HTTPS > Proxy. I tried setting an HTTPS proxy to DefaultHttpClient this way - > DefaultHttpClient dhc = new DefaultHttpClient(); > HttpHost proxy = new HttpHost("192.168.2.3", 8181, "https"); //NOTE : > https > dhc.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy); > > Then trying to execute any request gives me an SSLPeerUnverifiedException. > I do not understand the reason why. > > During my exploration of the DefaultHttpClient API, I came across > HttpRoutePlanner and HttpRoute with which we can specify whether the > connection to proxies should be encrypted or not. However, I am unable to > make this work. > > Here is a diagram that explains my setup by differentiating it with a HTTP > Proxy setup - > > HTTP Proxy: > > HTTP Client <------- Plain Text GET, POST Requests -------> HTTP Proxy > <------- Plain Text GET, POST Requests -------> HTTP End-Site > > HTTP Client <------- Plain Text CONNECT Requests -------> HTTP Proxy > <------- Plain Text CONNECT Requests -------> HTTPS End-Site > > NOTE: For HTTPS End-Sites, only the CONNECT Request is seen by the proxy. > Then an SSL Tunnel is established between the Client and End-Site > > HTTPS Proxy: > > HTTP Client <------- Encrypted GET, POST Requests -------> HTTPS Proxy > <-------- Plain Text GET, POST Requests --------> HTTP End-Site > > HTTP Client <------- Encrypted CONNECT Requests -------> HTTPS Proxy > <------- Plain Text CONNECT Requests -------> HTTPS End-Site > > NOTE: For HTTPS End-Sites, only the initial CONNECT Request should be > encrypted to the proxy. The subsequent request will anyway be tunnelled. > > Can anybody please let me know how I can achieve this goal? I believe > HttpRoutePlanner should help, but I don't know how. Thanks. > > Regards, > Sivasubramaniam S. Sivasubramaniam, Apache HttpClient 4.x only supports SSL via proxy only by connection tunneling. It does not support HTTPS proxies. For details see https://issues.apache.org/jira/browse/HTTPCLIENT-1318 Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org