[jira] [Commented] (HTTPCLIENT-2187) Classic proxy handling for HTTPS seems broken as of 5.1.1+

Oleg Kalnichevski (Jira) Sat, 20 Nov 2021 14:22:20 -0800


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446885#comment-17446885
 ]


Oleg Kalnichevski commented on HTTPCLIENT-2187:
-----------------------------------------------

[~timtebeek]  Request execution via HTTPS over a HTTP/1.1 works just fine for 
me. It looks like in your case something breaks in the TLS layer but given no 
exception gets logged I cannot say what exactly.

Are you using a custom {{ConnectionSocketFactory}} by any chance?

Oleg
{noformat}
Executing request GET /get via http://127.0.0.1:8888
2021-11-20 23:17:17,642 DEBUG ex-0000000001 preparing request execution
2021-11-20 23:17:17,649 DEBUG ex-0000000001 Cookie spec selected: strict
2021-11-20 23:17:17,652 DEBUG ex-0000000001 Auth cache not set in the context
2021-11-20 23:17:17,652 DEBUG ex-0000000001 target auth state: UNCHALLENGED
2021-11-20 23:17:17,653 DEBUG ex-0000000001 acquiring connection with route 
{tls}->http://127.0.0.1:8888->https://httpbin.org:443
2021-11-20 23:17:17,653 DEBUG ex-0000000001 acquiring endpoint (3 MINUTES)
2021-11-20 23:17:17,654 DEBUG ex-0000000001 endpoint lease request (3 MINUTES) 
[route: {tls}->http://127.0.0.1:8888->https://httpbin.org:443][total available: 
0; route allocated: 0 of 5; total allocated: 0 of 25]
2021-11-20 23:17:17,658 DEBUG ex-0000000001 endpoint leased [route: 
{tls}->http://127.0.0.1:8888->https://httpbin.org:443][total available: 0; 
route allocated: 1 of 5; total allocated: 1 of 25]
2021-11-20 23:17:17,668 DEBUG ex-0000000001 acquired ep-0000000000
2021-11-20 23:17:17,668 DEBUG ex-0000000001 acquired endpoint ep-0000000000
2021-11-20 23:17:17,669 DEBUG ex-0000000001 opening connection 
{tls}->http://127.0.0.1:8888->https://httpbin.org:443
2021-11-20 23:17:17,669 DEBUG ep-0000000000 connecting endpoint (3 MINUTES)
2021-11-20 23:17:17,670 DEBUG ep-0000000000 connecting endpoint to 
http://127.0.0.1:8888 (3 MINUTES)
2021-11-20 23:17:17,671 DEBUG http-outgoing-0 connecting to /127.0.0.1:8888
2021-11-20 23:17:17,672 DEBUG http-outgoing-0 connection established 
127.0.0.1:55912<->127.0.0.1:8888
2021-11-20 23:17:17,672 DEBUG ep-0000000000 connected http-outgoing-0
2021-11-20 23:17:17,672 DEBUG ep-0000000000 endpoint connected
2021-11-20 23:17:17,673 DEBUG ep-0000000000 start execution ex-0000000001
2021-11-20 23:17:17,673 DEBUG ep-0000000000 executing exchange ex-0000000001 
over http-outgoing-0
2021-11-20 23:17:17,674 DEBUG http-outgoing-0 >> CONNECT httpbin.org:443 
HTTP/1.1
2021-11-20 23:17:17,674 DEBUG http-outgoing-0 >> Host: httpbin.org:443
2021-11-20 23:17:17,674 DEBUG http-outgoing-0 >> User-Agent: 
Apache-HttpClient/5.1.3-SNAPSHOT (Java/1.8.0_282)
2021-11-20 23:17:17,879 DEBUG http-outgoing-0 << HTTP/1.1 200 Connection 
established
2021-11-20 23:17:17,879 DEBUG ex-0000000001 connection kept alive
2021-11-20 23:17:17,881 DEBUG ex-0000000001 tunnel to target created.
2021-11-20 23:17:17,881 DEBUG ep-0000000000 upgrading endpoint
2021-11-20 23:17:17,919 DEBUG Enabled protocols: [TLSv1.2]
2021-11-20 23:17:17,920 DEBUG Enabled cipher suites: 
[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2021-11-20 23:17:17,921 DEBUG Starting handshake
2021-11-20 23:17:18,500 DEBUG Secure session established
2021-11-20 23:17:18,501 DEBUG  negotiated protocol: TLSv1.2
2021-11-20 23:17:18,501 DEBUG  negotiated cipher suite: 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021-11-20 23:17:18,502 DEBUG  peer principal: CN=httpbin.org
2021-11-20 23:17:18,503 DEBUG  peer alternative names: [httpbin.org, 
*.httpbin.org]
2021-11-20 23:17:18,503 DEBUG  issuer principal: CN=Amazon, OU=Server CA 1B, 
O=Amazon, C=US
2021-11-20 23:17:18,513 DEBUG ex-0000000001 executing GET /get HTTP/1.1
2021-11-20 23:17:18,513 DEBUG ep-0000000000 start execution ex-0000000001
2021-11-20 23:17:18,513 DEBUG ep-0000000000 executing exchange ex-0000000001 
over http-outgoing-0
2021-11-20 23:17:18,514 DEBUG http-outgoing-0 >> GET /get HTTP/1.1
2021-11-20 23:17:18,514 DEBUG http-outgoing-0 >> Accept-Encoding: gzip, x-gzip, 
deflate
2021-11-20 23:17:18,515 DEBUG http-outgoing-0 >> Host: httpbin.org:443
2021-11-20 23:17:18,515 DEBUG http-outgoing-0 >> Connection: keep-alive
2021-11-20 23:17:18,515 DEBUG http-outgoing-0 >> User-Agent: 
Apache-HttpClient/5.1.3-SNAPSHOT (Java/1.8.0_282)
2021-11-20 23:17:18,700 DEBUG http-outgoing-0 << HTTP/1.1 200 OK
2021-11-20 23:17:18,701 DEBUG http-outgoing-0 << Date: Sat, 20 Nov 2021 
22:17:18 GMT
2021-11-20 23:17:18,701 DEBUG http-outgoing-0 << Content-Type: application/json
2021-11-20 23:17:18,701 DEBUG http-outgoing-0 << Content-Length: 321
2021-11-20 23:17:18,701 DEBUG http-outgoing-0 << Connection: keep-alive
2021-11-20 23:17:18,702 DEBUG http-outgoing-0 << Server: gunicorn/19.9.0
2021-11-20 23:17:18,702 DEBUG http-outgoing-0 << Access-Control-Allow-Origin: *
2021-11-20 23:17:18,702 DEBUG http-outgoing-0 << 
Access-Control-Allow-Credentials: true
2021-11-20 23:17:18,709 DEBUG ex-0000000001 connection can be kept alive for 3 
MINUTES
----------------------------------------
200 OK
2021-11-20 23:17:18,715 DEBUG ep-0000000000 releasing valid endpoint
2021-11-20 23:17:18,715 DEBUG ep-0000000000 releasing endpoint
2021-11-20 23:17:18,715 DEBUG ep-0000000000 connection http-outgoing-0 can be 
kept alive for 3 MINUTES
2021-11-20 23:17:18,716 DEBUG ep-0000000000 connection released [route: 
{tls}->http://127.0.0.1:8888->https://httpbin.org:443][total available: 1; 
route allocated: 1 of 5; total allocated: 1 of 25]
{
  "args": {}, 
  "headers": {
    "Accept-Encoding": "gzip, x-gzip, deflate", 
    "Host": "httpbin.org", 
    "User-Agent": "Apache-HttpClient/5.1.3-SNAPSHOT (Java/1.8.0_282)", 
    "X-Amzn-Trace-Id": "Root=1-619973ee-3c9949421d56921b4ef4a45e"
  }, 
  "origin": "213.55.224.176", 
  "url": "https://httpbin.org/get";
}

2021-11-20 23:17:18,717 DEBUG Shutdown connection pool GRACEFUL
2021-11-20 23:17:18,717 DEBUG http-outgoing-0 close connection GRACEFUL
2021-11-20 23:17:18,719 DEBUG Connection pool shut down
{noformat}

> Classic proxy handling for HTTPS seems broken as of 5.1.1+
> ----------------------------------------------------------
>
>                 Key: HTTPCLIENT-2187
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2187
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 5.1.1, 5.1.2, 5.2-alpha1
>            Reporter: Tim te Beek
>            Priority: Major
>
> Classic proxy handling for HTTPS seems to have broken as of 5.1.1+, as seen 
> here: [https://github.com/wiremock/wiremock/pull/1698]
> To give just one sample, we now see a failure stacktrace such as this:
> {{java.lang.IllegalStateException: Endpoint is not connected}}
> {{    at org.apache.hc.core5.util.Asserts.check(Asserts.java:38)}}
> {{    at 
> org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager$InternalConnectionEndpoint.getValidatedPoolEntry(PoolingHttpClientConnectionManager.java:637)}}
> {{    at 
> org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:454)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.InternalExecRuntime.upgradeTls(InternalExecRuntime.java:190)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:172)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:197)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:170)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:75)}}
> {{    at 
> org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:89)}}
> {{    at 
> com.github.tomakehurst.wiremock.junit5.JUnitJupiterExtensionJvmProxyNonStaticProgrammaticTest.getContent(JUnitJupiterExtensionJvmProxyNonStaticProgrammaticTest.java:67)}}
> {{    at 
> com.github.tomakehurst.wiremock.junit5.JUnitJupiterExtensionJvmProxyNonStaticProgrammaticTest.configures_jvm_proxy_and_enables_browser_proxying_https(JUnitJupiterExtensionJvmProxyNonStaticProgrammaticTest.java:63)}}
> That test basically calls this class to set the System proxy properties:
> [https://github.com/wiremock/wiremock/blob/master/src/main/java/com/github/tomakehurst/wiremock/http/JvmProxyConfigurer.java#L48]
> For HTTP that still works fine, for HTTPS it now fails.
>  
> There were some recent changes in 5.1.1 related to proxy handling & keep 
> alive for async:
> [https://issues.apache.org/jira/projects/HTTPCLIENT/issues/HTTPCLIENT-2177]
> [https://github.com/apache/httpcomponents-client/compare/50f93ec18be8d6f49138825356051c4c0b60dce4...90f69c87b27b721ea8f0e23bdb4baf92bd7cde06]
> However, we're using classic still, and seeing the error above, so not sure 
> it's related.
> Could anyone look into why we are now having these issues with only a patch 
> version bump?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

[jira] [Commented] (HTTPCLIENT-2187) Classic proxy handling for HTTPS seems broken as of 5.1.1+

Reply via email to