Re: SSL via Proxy Problems

Thu, 18 Aug 2005 06:04:23 -0700 

Hi,

ok, I just found out the difference between client 2 and client 3.
while debugging the http client I noticed that it didnt consider the protocol as secure since our SocketFactory used the interface ProtocolSocketFactory 
instead of SecureProtocolFactory.
I doublechecked the old httpclient 2.0 and found that it based the security flag on the protocol name, which was "https". 
thats why it worked correct with httpclient 2.0
it is in line with your last comment, so I just want to confirm that the interface SecureProtocolFactory was the 
problem.
however, I am a bit surprised that this only causes a problem with SSL via Proxy-Servers. I would expect that it doesnt work at all if an SSL connection is created using a Factory that only has the ProtcolSocketFactory interface.
also after adjusting our code I found that new Protocol("https", new SSLProtocolSocketFactory(...) 
is now decrecated, does that make sense ?
that way the caller always has to cast the factory to a ProtocolSocketfactory to avoid the deprecated warning. 

anyway, thanks for looking into this.
now it works as intended.

Oleg Kalnichevski wrote:


On Thu, Aug 18, 2005 at 02:18:27PM +0200, michael haeusler wrote:

Oleg,
how could this be a problem of the SSL context if all works fine in client 3-rc3 without proxy, 
and also works fine in client 2 with or without proxy.



Because this is what I see in the exception stack trace. Please review
the de.msg.transport.ssl.SSLProtocolSocketFactory class and make sure
that it correctly implements the SecureProtocolSocketFactory interface,
especially new methods introduced in 3.0

Oleg


something must be different in client 3.

Oleg Kalnichevski wrote:


Michael,

This means one and only thing: misconfiguration of the SSL context,
which is strictly speaking not a problem with HttpClient. For details
see the SSL guide [1]. You might want to take a closer look at the
AuthSSLProtocolSocketFactory in particular.

Hope this helps,

Oleg

[1] http://jakarta.apache.org/commons/httpclient/sslguide.html


On Thu, Aug 18, 2005 at 12:37:05PM +0200, michael haeusler wrote:



Hello,

I noticed that after upgrading from http-client 2.0 to http-client 3.0-rc3
our application does not work correctly any more.
the http server that the application connects to requires SSL with client-certificates. 
without a http-proxy server there is no problem.
when using a http-proxy server, the result depends on the proxy server, it either never responds, or a "peer not authenticated" exception is thrown at the application. 
here is log debug log:
org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.useragent = Jakarta Commons-HttpClient/3.0-rc3 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.protocol.version = HTTP/1.1 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.connection-manager.class = class org.apache.commons.httpclient.SimpleHttpConnectionManager org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.protocol.cookie-policy = rfc2109 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.protocol.element-charset = US-ASCII org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.protocol.content-charset = ISO-8859-1 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.method.retry-handler = [EMAIL PROTECTED] org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.dateparser.patterns = [EEE, dd MMM yyyy HH:mm:ss zzz, EEEE, dd-MMM-yy HH:mm:ss zzz, EEE MMM d HH:mm:ss yyyy, EEE, dd-MMM-yyyy HH:mm:ss z, EEE, dd-MMM-yyyy HH-mm-ss z, EEE, dd MMM yy HH:mm:ss z, EEE dd-MMM-yyyy HH:mm:ss z, EEE dd MMM yyyy HH:mm:ss z, EEE dd-MMM-yyyy HH-mm-ss z, EEE dd-MMM-yy HH:mm:ss z, EEE dd MMM yy HH:mm:ss z, EEE,dd-MMM-yy HH:mm:ss z, EEE,dd-MMM-yyyy HH:mm:ss z, EEE, dd-MM-yyyy HH:mm:ss z] org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.connection-manager.max-per-host = {HostConfiguration[]=20} org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.connection-manager.max-total = 500 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.connection.timeout = 60000 
org.apache.commons.httpclient.HttpClient - 10000 - Java version: 1.4.2_08
org.apache.commons.httpclient.HttpClient - 10000 - Java vendor: Sun Microsystems Inc. org.apache.commons.httpclient.HttpClient - 10000 - Java class path: jre\lib\tools.jar;tomcat-5.0.28\bin\bootstrap.jar org.apache.commons.httpclient.HttpClient - 10000 - Operating system name: Windows XP org.apache.commons.httpclient.HttpClient - 10000 - Operating system architecture: x86 org.apache.commons.httpclient.HttpClient - 10000 - Operating system version: 5.1 org.apache.commons.httpclient.HttpClient - 10000 - SUN 1.42: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores) org.apache.commons.httpclient.HttpClient - 10000 - SunJSSE 1.42: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1) org.apache.commons.httpclient.HttpClient - 10000 - SunRsaSign 1.42: SUN's provider for RSA signatures org.apache.commons.httpclient.HttpClient - 10000 - SunJCE 1.42: SunJCE Provider (implements DES, Triple DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1) org.apache.commons.httpclient.HttpClient - 10000 - SunJGSS 1.0: Sun (Kerberos v5) org.apache.commons.httpclient.HttpClient - 10000 - BC 1.29: BouncyCastle Security Provider v1.29 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.socket.timeout = 0 org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.methods.PostMethod - 10000 - enter PostMethod.clearRequestBody() org.apache.commons.httpclient.methods.EntityEnclosingMethod - 10000 - enter EntityEnclosingMethod.clearRequestBody() org.apache.commons.httpclient.HttpClient - 10000 - enter HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - enter HttpConnectionManager.getConnectionWithTimeout(HostConfiguration, long) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - HttpConnectionManager.getConnection: config = HostConfiguration[host=https://localhost, proxyHost=http://192.168.200.224:8888], timeout = 0 org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - enter HttpConnectionManager.ConnectionPool.getHostPool(HostConfiguration) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - enter HttpConnectionManager.ConnectionPool.getHostPool(HostConfiguration) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - Allocating new connection, hostConfig=HostConfiguration[host=https://localhost, proxyHost=http://192.168.200.224:8888] org.apache.commons.httpclient.HttpConnection - 10000 - enter HttpConnection.open() org.apache.commons.httpclient.HttpConnection - 10000 - Open connection to 192.168.200.224:8888 org.apache.commons.httpclient.params.DefaultHttpParams - 10000 - Set parameter http.socket.timeout = 0 org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.HttpMethodBase - 10000 - HttpMethodBase.addRequestHeader(Header) org.apache.commons.httpclient.methods.PostMethod - 10000 - enter PostMethod.clearRequestBody() org.apache.commons.httpclient.methods.EntityEnclosingMethod - 10000 - enter EntityEnclosingMethod.clearRequestBody() org.apache.commons.httpclient.HttpClient - 10000 - enter HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - enter HttpConnectionManager.getConnectionWithTimeout(HostConfiguration, long) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - HttpConnectionManager.getConnection: config = HostConfiguration[host=https://localhost, proxyHost=http://192.168.200.224:8888], timeout = 0 org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - enter HttpConnectionManager.ConnectionPool.getHostPool(HostConfiguration) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - enter HttpConnectionManager.ConnectionPool.getHostPool(HostConfiguration) org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - 10000 - Allocating new connection, hostConfig=HostConfiguration[host=https://localhost, proxyHost=http://192.168.200.224:8888] org.apache.commons.httpclient.HttpConnection - 10000 - enter HttpConnection.open() org.apache.commons.httpclient.HttpConnection - 10000 - Open connection to 192.168.200.224:8888 org.apache.commons.httpclient.HttpConnection - 10000 - enter HttpConnection.closeSockedAndStreams() org.apache.commons.httpclient.HttpMethodDirector - 10000 - Closing the connection. org.apache.commons.httpclient.HttpConnection - 10000 - enter HttpConnection.close() org.apache.commons.httpclient.HttpConnection - 10000 - enter HttpConnection.closeSockedAndStreams() org.apache.commons.httpclient.HttpMethodDirector - 20000 - I/O exception caught when processing request: peer not authenticated org.apache.commons.httpclient.HttpMethodDirector - 10000 - peer not authenticated 
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA12275) 
at de.msg.transport.ssl.SSLProtocolSocketFactory.o00000(Unknown Source)
at de.msg.transport.ssl.SSLProtocolSocketFactory.createSocket(Unknown Source) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:704) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1339) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:382) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) 
at de.msg.transport.HttpProvider.sendMessage(Unknown Source)
at de.msg.j.run(Unknown Source)
org.apache.commons.httpclient.HttpMethodDirector - 20000 - Retrying request 





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
Mit freundlichen Gr??en / Best Regards,
Michael H?usler
__________________________________________________________________
Ponton Consulting GmbH                 voice:  + 49.40.69213-340
http://www.ponton-consulting.de/       fax:    + 49.40.69213-355
Dorotheenstra?e 60
D-22301 Hamburg
                     Ponton Consulting is a Member of C1 Group
__________________________________________________________________

HRB 81480, AG Hamburg, Managing Director: Dr. Michael Merz
Ponton Consulting is a Member of C1 Group (www.c1-group.com)
__________________________________________________________________


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
Mit freundlichen Grüßen / Best Regards,
Michael Häusler
__________________________________________________________________
Ponton Consulting GmbH                 voice:  + 49.40.69213-340
http://www.ponton-consulting.de/       fax:    + 49.40.69213-355
Dorotheenstraße 60
D-22301 Hamburg
                      Ponton Consulting is a Member of C1 Group
__________________________________________________________________

HRB 81480, AG Hamburg, Managing Director: Dr. Michael Merz
Ponton Consulting is a Member of C1 Group (www.c1-group.com)
__________________________________________________________________


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to