SOAP and proxy servers problems with SSL

[David Wall <dw...@Yozons.com>]

[Sorry for the repost from yesterday, not sure if nobody knows the answer, or whether it was simply not received.]

I have a Java client (Apache SOAP 2.2) using JSSE 1.0.2 for HTTPS URLs to my web service.  The client is behind a proxy server (netscape?).  The connection to the proxy is always over port 80, even though my code is connecting to an HTTPS port 443 URL.

What I've found is that when I use an HTTP port 80 url to our service, it is able to communicate okay, but that won't work for production where SSL is required.  But when I try to connect over HTTPS, the communications never takes place.  (Mind you, this works fine for HTTPS when there's no proxy server in the middle -- that is, the client is able to communicate directly with SSL across the Internet when no proxy exists -- and it can communicate through the proxy when using HTTP only by calling the setProxy methods on SoapTransport)

>From the Apache source, I'm not sure, but is the communications from the client to the proxy server encrypted with SSL already, or is that done in the clear with the expectation that the proxy server will then initiate the SSL connection to my SOAP server?  What is the SOAP code doing when the URL says use HTTPS, but the proxy configuration says to communicate over port 80 to the proxy server?

It's a question of SSL tunneling versus HTTPS proxying...

If it sends the data to the proxy server via SSL, how does the proxy server know where to forward the request to since the HTTP headers contain the target URL and they'd be encrypted.

Thanks,
David

Re: SOAP and proxy servers problems with SSL

[Simon Fell <so...@zaks.demon.co.uk>]

On Wed, 17 Oct 2001 09:54:21 -0700, in soap you wrote:

>> If you want to proxy SSL connections, then you need to use the CONNECT
>> method to the proxy, this requires the proxy to support using CONNECT,
>> and for the http client code to recognize that you're trying to proxy
>> SSL, and to send the CONNECT command first.
>>
>> I don't know if there's any support for this in the Apache SOAP http
>> stack.
>
>Does anybody know if Apache SOAP 2.2 supports this?  I'm presuming right now
>that SOAP is sending SSL data to the proxy server, requiring the proxy
>server to tunnel the https.  But when that occurs, how does the proxy server
>know where to forward the request to since from what I can see, the
>destination URL is part of the http header, which would be encrypted.
>
>Does it work by having the proxy decrypt the SSL from my client, then
>re-encrypt using a different SSL to the web server?  Seems unlikely, but I'm
>otherwise unsure how the proxy can know where to send the message.
>
>David

That shouldn't work, as the proxy certificate name won't match the
destination server name, so the client stack should fail the
connection.

Cheers
Simon

Re: SOAP and proxy servers problems with SSL

[Simon Fell <so...@zaks.demon.co.uk>]

On Wed, 17 Oct 2001 09:54:21 -0700, in soap you wrote:

>> If you want to proxy SSL connections, then you need to use the CONNECT
>> method to the proxy, this requires the proxy to support using CONNECT,
>> and for the http client code to recognize that you're trying to proxy
>> SSL, and to send the CONNECT command first.
>>
>> I don't know if there's any support for this in the Apache SOAP http
>> stack.
>
>Does anybody know if Apache SOAP 2.2 supports this?  I'm presuming right now
>that SOAP is sending SSL data to the proxy server, requiring the proxy
>server to tunnel the https.  But when that occurs, how does the proxy server
>know where to forward the request to since from what I can see, the
>destination URL is part of the http header, which would be encrypted.
>
>Does it work by having the proxy decrypt the SSL from my client, then
>re-encrypt using a different SSL to the web server?  Seems unlikely, but I'm
>otherwise unsure how the proxy can know where to send the message.
>
>David

That shouldn't work, as the proxy certificate name won't match the
destination server name, so the client stack should fail the
connection.

Cheers
Simon

Re: SOAP and proxy servers problems with SSL

[David Wall <dw...@Yozons.com>]

> If you want to proxy SSL connections, then you need to use the CONNECT
> method to the proxy, this requires the proxy to support using CONNECT,
> and for the http client code to recognize that you're trying to proxy
> SSL, and to send the CONNECT command first.
>
> I don't know if there's any support for this in the Apache SOAP http
> stack.

Does anybody know if Apache SOAP 2.2 supports this?  I'm presuming right now
that SOAP is sending SSL data to the proxy server, requiring the proxy
server to tunnel the https.  But when that occurs, how does the proxy server
know where to forward the request to since from what I can see, the
destination URL is part of the http header, which would be encrypted.

Does it work by having the proxy decrypt the SSL from my client, then
re-encrypt using a different SSL to the web server?  Seems unlikely, but I'm
otherwise unsure how the proxy can know where to send the message.

David

Re: SOAP and proxy servers problems with SSL

[David Wall <dw...@Yozons.com>]

> If you want to proxy SSL connections, then you need to use the CONNECT
> method to the proxy, this requires the proxy to support using CONNECT,
> and for the http client code to recognize that you're trying to proxy
> SSL, and to send the CONNECT command first.
>
> I don't know if there's any support for this in the Apache SOAP http
> stack.

Does anybody know if Apache SOAP 2.2 supports this?  I'm presuming right now
that SOAP is sending SSL data to the proxy server, requiring the proxy
server to tunnel the https.  But when that occurs, how does the proxy server
know where to forward the request to since from what I can see, the
destination URL is part of the http header, which would be encrypted.

Does it work by having the proxy decrypt the SSL from my client, then
re-encrypt using a different SSL to the web server?  Seems unlikely, but I'm
otherwise unsure how the proxy can know where to send the message.

David

Re: SOAP and proxy servers problems with SSL

[Simon Fell <so...@zaks.demon.co.uk>]

On Wed, 17 Oct 2001 09:01:01 -0700, in soap you wrote:

>[Sorry for the repost from yesterday, not sure if nobody knows the answer, or whether it was simply not received.]
>
>I have a Java client (Apache SOAP 2.2) using JSSE 1.0.2 for HTTPS URLs to my web service.  The client is behind a proxy server (netscape?).  The connection to the proxy is always over port 80, even though my code is connecting to an HTTPS port 443 URL.
>
>What I've found is that when I use an HTTP port 80 url to our service, it is able to communicate okay, but that won't work for production where SSL is required.  But when I try to connect over HTTPS, the communications never takes place.  (Mind you, this works fine for HTTPS when there's no proxy server in the middle -- that is, the client is able to communicate directly with SSL across the Internet when no proxy exists -- and it can communicate through the proxy when using HTTP only by calling the setProxy methods on SoapTransport)
>
>>From the Apache source, I'm not sure, but is the communications from the client to the proxy server encrypted with SSL already, or is that done in the clear with the expectation that the proxy server will then initiate the SSL connection to my SOAP server?  What is the SOAP code doing when the URL says use HTTPS, but the proxy configuration says to communicate over port 80 to the proxy server?
>
>It's a question of SSL tunneling versus HTTPS proxying...
>
>If it sends the data to the proxy server via SSL, how does the proxy server know where to forward the request to since the HTTP headers contain the target URL and they'd be encrypted.
>
>Thanks,
>David

If you want to proxy SSL connections, then you need to use the CONNECT
method to the proxy, this requires the proxy to support using CONNECT,
and for the http client code to recognize that you're trying to proxy
SSL, and to send the CONNECT command first.

I don't know if there's any support for this in the Apache SOAP http
stack.

Cheers
Simon
www.pocketsoap.com

Re: SOAP and proxy servers problems with SSL

[Simon Fell <so...@zaks.demon.co.uk>]

On Wed, 17 Oct 2001 09:01:01 -0700, in soap you wrote:

>[Sorry for the repost from yesterday, not sure if nobody knows the answer, or whether it was simply not received.]
>
>I have a Java client (Apache SOAP 2.2) using JSSE 1.0.2 for HTTPS URLs to my web service.  The client is behind a proxy server (netscape?).  The connection to the proxy is always over port 80, even though my code is connecting to an HTTPS port 443 URL.
>
>What I've found is that when I use an HTTP port 80 url to our service, it is able to communicate okay, but that won't work for production where SSL is required.  But when I try to connect over HTTPS, the communications never takes place.  (Mind you, this works fine for HTTPS when there's no proxy server in the middle -- that is, the client is able to communicate directly with SSL across the Internet when no proxy exists -- and it can communicate through the proxy when using HTTP only by calling the setProxy methods on SoapTransport)
>
>>From the Apache source, I'm not sure, but is the communications from the client to the proxy server encrypted with SSL already, or is that done in the clear with the expectation that the proxy server will then initiate the SSL connection to my SOAP server?  What is the SOAP code doing when the URL says use HTTPS, but the proxy configuration says to communicate over port 80 to the proxy server?
>
>It's a question of SSL tunneling versus HTTPS proxying...
>
>If it sends the data to the proxy server via SSL, how does the proxy server know where to forward the request to since the HTTP headers contain the target URL and they'd be encrypted.
>
>Thanks,
>David

If you want to proxy SSL connections, then you need to use the CONNECT
method to the proxy, this requires the proxy to support using CONNECT,
and for the http client code to recognize that you're trying to proxy
SSL, and to send the CONNECT command first.

I don't know if there's any support for this in the Apache SOAP http
stack.

Cheers
Simon
www.pocketsoap.com