You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2005/11/03 14:20:55 UTC

DO NOT REPLY [Bug 37345] New: - ProxyCredentials disclosed to remote host

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37345>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37345

           Summary: ProxyCredentials disclosed to remote host
           Product: HttpClient
           Version: Nightly Builds
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Commons HttpClient
        AssignedTo: httpclient-dev@jakarta.apache.org
        ReportedBy: asf@spamblock.netzgehirn.de


I'm using httpclient (svn-trunk of today) to connect to a remote SSL-Host 
via a proxy. The proxy requires authorization (basic) and I want to use 
preemptive authorization. 
 
Since Bug 37197 is fixed the preemptive authorization works, but my traces 
show that the proxy credentials are also transmitted to the remote host 
through the CONNECT-tunnel, thus disclosing sensitive information to the 
remote host. 
 
My code looks like this: 
 
HttpClient client = new HttpClient(); 
HttpMethod method = new GetMethod("https://test"); 
 
client.getHostConfiguration().setProxy("127.0.0.1",3128); 
client.getState().setProxyCredentials( 
                new AuthScope("127.0.0.1", 3128), 
                new UsernamePasswordCredentials("proxy", "test")); 
client.getState().setAuthenticationPreemptive(true); 
client.executeMethod(method); 
 
The trace: 
 
2005/11/03 13:53:13:244 CET [DEBUG] HttpMethodDirector - Preemptively 
sending default basic credentials 
2005/11/03 13:53:13:261 CET [DEBUG] HttpMethodDirector - Authenticating 
with BASIC <any realm>@127.0.0.1:3128 
2005/11/03 13:53:13:262 CET [DEBUG] HttpMethodParams - Credential charset 
not configured, using HTTP element charset 
2005/11/03 13:53:13:266 CET [DEBUG] HttpMethodDirector - Authenticating 
with BASIC <any realm>@test:443 
2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Required 
credentials not available for BASIC <any realm>@test:443 
2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Preemptive 
authentication requested but no default credentials available 
2005/11/03 13:53:13:268 CET [DEBUG] HttpConnection - Open connection to 
127.0.0.1:3128 
2005/11/03 13:53:13:279 CET [DEBUG] HttpMethodDirector - Preemptively 
sending default basic credentials 
2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodDirector - Authenticating 
with BASIC <any realm>@127.0.0.1:3128 
2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodParams - Credential charset 
not configured, using HTTP element charset 
2005/11/03 13:53:13:283 CET [DEBUG] header - >> "CONNECT test:443 HTTP/1.1" 
2005/11/03 13:53:13:284 CET [DEBUG] HttpMethodBase - Adding Host request 
header 
2005/11/03 13:53:13:284 CET [DEBUG] header - >> "Proxy-Authorization: 
Basic cHJveHk6dGVzdA==[\r][\n]" 
2005/11/03 13:53:13:285 CET [DEBUG] header - >> "User-Agent: Jakarta 
Commons-HttpClient/3.0-rc4[\r][\n]" 
2005/11/03 13:53:13:285 CET [DEBUG] header - >> "Host: test[\r][\n]"       
                                                                           
2005/11/03 13:53:13:286 CET [DEBUG] header - >> "Proxy-Connection: 
Keep-Alive[\r][\n]" 
2005/11/03 13:53:13:286 CET [DEBUG] header - >> "[\r][\n]"                 
                                                                         
2005/11/03 13:53:13:311 CET [DEBUG] header - << "HTTP/1.0 200 
Connection established[\r][\n]"                                            
2005/11/03 13:53:13:326 CET [DEBUG] ConnectMethod - CONNECT status code 200 
2005/11/03 13:53:13:327 CET [DEBUG] HttpConnection - Secure tunnel to 
test:443 
2005/11/03 13:53:13:418 CET [DEBUG] header - >> "GET / HTTP/1.1[\r][\n]" 
2005/11/03 13:53:13:420 CET [DEBUG] HttpMethodBase - Adding Host request 
header 
2005/11/03 13:53:13:423 CET [DEBUG] header - >> "Proxy-Authorization: 
Basic cHJveHk6dGVzdA==[\r][\n]" 
2005/11/03 13:53:13:424 CET [DEBUG] header - >> "User-Agent: Jakarta 
Commons-HttpClient/3.0-rc4[\r][\n]" 
2005/11/03 13:53:13:425 CET [DEBUG] header - >> "Host: test[\r][\n]" 
2005/11/03 13:53:13:425 CET [DEBUG] header - >> "[\r][\n]" 
2005/11/03 13:53:14:391 CET [DEBUG] header - << "HTTP/1.1 200 OK[\r][\n]" 
 
As you can see the proxy credentials are also transmitted through the 
SSL-tunnel to the remote host which is a security risk.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org