You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by Michael Becke <be...@u.washington.edu> on 2003/02/27 02:28:56 UTC

Question about HttpConnection

I found something in HttpConnection that I'm curious about.  I think I 
may have actually written it, but I am not sure why.  The following 
code is from HttpConnection.open():

             final ProtocolSocketFactory socketFactory =
                 (isSecure()
                     && !isProxied()
                         ? protocolInUse.getSocketFactory()
                         : new DefaultProtocolSocketFactory());

Essentially, on open, the connection is only using the protocol socket 
factory for non-proxied secure connections.  It seems like it should be 
using the protocol factory for all connections except when proxied and 
SSL.  Does this sound correct?

Mike

Re: Question about HttpConnection and Having problems with HTTPS proxy tunneling

Posted by Michael Becke <be...@u.washington.edu>.

> I think this relates directly to the posting today by Jani Mattsson.  As 
> best I understand it, when using HTTPS to connect via a proxy server, 
> the connection to the proxy server itself is not encrypted (the CONNECT 
> method goes to the proxy server unencrypted).  Only once the connection 
> has been established with the proxy server does encryption get thrown 
> on.  From that point on, the proxy server doesn't need to see the 
> contents of the connection, merely pass the bytes through on an open 
> socket.  (Although it occurs to me that proxy servers could launch 
> "man-in-the-middle" attacks on the exchange, so HTTPS via a proxy server 
> is no more secure than the extent to which you trust your proxy server). 
> Someone who understands proxies better than I might be able to provide 
> more info.

Agreed.  This is somewhat related.  I think your analysis of how the 
proxying works is correct.  When using a proxy I think there is little 
choice but to trust it.

> Thus, Jani's problem arises, wherein, should a retry become necessary, 
> and the connection has been closed by the remote server or the proxy, 
> then HttpMethodBase does not do the right thing to reopen the 
> connection.  Yet one more reason to move the retry logic - and perhaps 
> we cannot afford to wait until after 2.0 final for this one.

Yes.  It seems that this is exactly what is happening.  There may be a 
way to fix this given the current architecture, but moving this 
functionality outside of the method would be much cleaner.

Mike

Re: Question about HttpConnection

Posted by Eric Johnson <er...@tibco.com>.

Mike,

I think this relates directly to the posting today by Jani Mattsson.  As 
best I understand it, when using HTTPS to connect via a proxy server, 
the connection to the proxy server itself is not encrypted (the CONNECT 
method goes to the proxy server unencrypted).  Only once the connection 
has been established with the proxy server does encryption get thrown 
on.  From that point on, the proxy server doesn't need to see the 
contents of the connection, merely pass the bytes through on an open 
socket.  (Although it occurs to me that proxy servers could launch 
"man-in-the-middle" attacks on the exchange, so HTTPS via a proxy server 
is no more secure than the extent to which you trust your proxy server). 
 Someone who understands proxies better than I might be able to provide 
more info.

Thus, Jani's problem arises, wherein, should a retry become necessary, 
and the connection has been closed by the remote server or the proxy, 
then HttpMethodBase does not do the right thing to reopen the 
connection.  Yet one more reason to move the retry logic - and perhaps 
we cannot afford to wait until after 2.0 final for this one.

-Eric

Michael Becke wrote:

> I found something in HttpConnection that I'm curious about.  I think I 
> may have actually written it, but I am not sure why.  The following 
> code is from HttpConnection.open():
>
>             final ProtocolSocketFactory socketFactory =
>                 (isSecure()
>                     && !isProxied()
>                         ? protocolInUse.getSocketFactory()
>                         : new DefaultProtocolSocketFactory());
>
> Essentially, on open, the connection is only using the protocol socket 
> factory for non-proxied secure connections.  It seems like it should 
> be using the protocol factory for all connections except when proxied 
> and SSL.  Does this sound correct?
>
> Mike
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>