You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Gary Gregory (JIRA)" <ji...@apache.org> on 2017/08/31 14:24:00 UTC
[jira] [Closed] (HTTPCORE-487)
org.apache.http.nio.reactor.ssl.SSLIOSession and
SSLNHttpClientConnectionFactory do not always use the HTTP host setting
[ https://issues.apache.org/jira/browse/HTTPCORE-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Gregory closed HTTPCORE-487.
---------------------------------
Resolution: Fixed
Fix Version/s: 4.4.7
That fix works as well so took the liberty to commit it to 4.4.x in order for the fix to percolate to a SNAPSHOT build. I tested our own NHttpReverseProxy as well as my custom HC NIO app. I am not sure how to best unit test this without relying on an external web site. I suppose the SSL wire traffic could be recorded and mocked.
> org.apache.http.nio.reactor.ssl.SSLIOSession and SSLNHttpClientConnectionFactory do not always use the HTTP host setting
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: HTTPCORE-487
> URL: https://issues.apache.org/jira/browse/HTTPCORE-487
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore NIO
> Affects Versions: 4.4.6
> Reporter: Gary Gregory
> Priority: Blocker
> Fix For: 4.4.7
>
> Attachments: httpcomponents-core-4.4.x.patch
>
>
> org.apache.http.nio.reactor.ssl.SSLIOSession does not always account for its host setting.
> Patch forthcoming.
> This shows up in the example {{NHttpReverseProxy}} app.
> From the dev ML where I wrote:
> {noformat}
> HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure
> Inbox
> x
> Gary Gregory <ga...@gmail.com>
> 2:57 PM (7 hours ago)
> to HttpComponents
> Hi All:
> To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our example NHttpReverseProxy with the command line arguments:
> https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy
> (with or without TrustSelfSignedStrategy)
> Then I get a handshake_failure trying to access it:
> $ curl http://localhost:33000/posts
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 100 39 100 39 0 0 39 0 0:00:01 --:--:-- 0:00:01 207Received fatal alert: handshake_failure
> NHttpReverseProxy prints:
> Using TrustSelfSignedStrategy (not for production)
> Reverse proxy to https://jsonplaceholder.typicode.com:443
> [client->proxy] connection open 0:0:0:0:0:0:0:1:33000<->0:0:0:0:0:0:0:1:55252
> [client->proxy] 00000001 GET /posts HTTP/1.1
> [client->proxy] 00000001 request completed
> [proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443
> [proxy->origin] 00000001 GET /posts HTTP/1.1
> [proxy->origin] 00000001 request completed
> [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> [proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443
> [proxy->origin] [total kept alive: 0; total allocated: 0 of 100]
> [proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443
> [client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252
> HttpClient works fine with:
> public class HttpsClientSanityTest {
> private void executeHttpsGetPosts(final CloseableHttpClient client) throws IOException, ClientProtocolException {
> try (final CloseableHttpResponse reponse = client.execute(new HttpGet("https://jsonplaceholder.typicode.com/posts"))) {
> final String string = EntityUtils.toString(reponse.getEntity());
> Assert.assertNotNull(string);
> // System.out.println(string);
> }
> }
> @Test
> public void test_typicode_com() throws KeyManagementException, NoSuchAlgorithmException, ClientProtocolException, IOException {
> try (final CloseableHttpClient client = HttpClients.createDefault()) {
> executeHttpsGetPosts(client);
> }
> }
> }
> curl works fine with 'curl https://jsonplaceholder.typicode.com/posts' and returns a JSON document.
> Any hints as to what is missing from NHttpReverseProxy?
> Thank you,
> Gary
> Gary Gregory <ga...@gmail.com>
> 3:19 PM (7 hours ago)
> to HttpComponents
> I should add that I am running the latest Oracle Java 8 on Windows 10.
> Gary Gregory <ga...@gmail.com>
> 10:17 PM (21 minutes ago)
> to HttpComponents
> If I set -Djavax.net.debug=all in the proxy I see:
> RandomCookie: GMT: 1487308723 bytes = { 46, 102, 239, 247, 53, 87, 164, 146, 197, 44, 72, 95, 153, 58, 9, 22, 138, 176, 137, 76, 196, 163, 34, 95, 220, 87, 105, 237 }
> Session ID: {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods: { 0 }
> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
> ***
> [write] MD5 and SHA1 hashes: len = 161
> 0000: 01 00 00 9D 03 03 59 A7 88 B3 2E 66 EF F7 35 57 ......Y....f..5W
> 0010: A4 92 C5 2C 48 5F 99 3A 09 16 8A B0 89 4C C4 A3 ...,H_.:.....L..
> 0020: 22 5F DC 57 69 ED 00 00 3A C0 23 C0 27 00 3C C0 "_.Wi...:.#.'.<.
> 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...
> 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.
> 0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................
> 0060: 13 00 FF 01 00 00 3A 00 0A 00 16 00 14 00 17 00 ......:.........
> 0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................
> 0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................
> 0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................
> 00A0: 02 .
> I/O dispatcher 1, WRITE: TLSv1.2 Handshake, length = 161
> [Raw write]: length = 166
> 0000: 16 03 03 00 A1 01 00 00 9D 03 03 59 A7 88 B3 2E ...........Y....
> 0010: 66 EF F7 35 57 A4 92 C5 2C 48 5F 99 3A 09 16 8A f..5W...,H_.:...
> 0020: B0 89 4C C4 A3 22 5F DC 57 69 ED 00 00 3A C0 23 ..L.."_.Wi...:.#
> 0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
> 0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..
> 0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............
> 0060: C0 0D 00 16 00 13 00 FF 01 00 00 3A 00 0A 00 16 ...........:....
> 0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................
> 0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 16 ................
> 0090: 00 14 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
> 00A0: 02 03 02 01 02 02 ......
> [Raw read]: length = 5
> 0000: 15 03 01 00 02 .....
> [Raw read]: length = 2
> 0000: 02 28 .(
> I/O dispatcher 1, READ: TLSv1 Alert, length = 2
> I/O dispatcher 1, RECV TLSv1.2 ALERT: fatal, handshake_failure
> I/O dispatcher 1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> I/O dispatcher 1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> But, with the HttpClient, there is more data in the hex dumps which include the origin server name and other bits:
> %% No cached client session
> *** ClientHello, TLSv1.2
> RandomCookie: GMT: 1487308648 bytes = { 223, 57, 250, 125, 154, 123, 122, 30, 110, 58, 163, 142, 215, 41, 230, 164, 96, 33, 206, 68, 84, 216, 191, 149, 12, 79, 94, 143 }
> Session ID: {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods: { 0 }
> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
> Extension server_name, server_name: [type=host_name (0), value=jsonplaceholder.typicode.com]
> ***
> [write] MD5 and SHA1 hashes: len = 198
> 0000: 01 00 00 C2 03 03 59 A7 87 68 DF 39 FA 7D 9A 7B ......Y..h.9....
> 0010: 7A 1E 6E 3A A3 8E D7 29 E6 A4 60 21 CE 44 54 D8 z.n:...)..`!.DT.
> 0020: BF 95 0C 4F 5E 8F 00 00 3A C0 23 C0 27 00 3C C0 ...O^...:.#.'.<.
> 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...
> 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.
> 0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................
> 0060: 13 00 FF 01 00 00 5F 00 0A 00 16 00 14 00 17 00 ......_.........
> 0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................
> 0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................
> 0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................
> 00A0: 02 00 00 00 21 00 1F 00 00 1C 6A 73 6F 6E 70 6C ....!.....jsonpl
> 00B0: 61 63 65 68 6F 6C 64 65 72 2E 74 79 70 69 63 6F aceholder.typico
> 00C0: 64 65 2E 63 6F 6D de.com
> main, WRITE: TLSv1.2 Handshake, length = 198
> [Raw write]: length = 203
> 0000: 16 03 03 00 C6 01 00 00 C2 03 03 59 A7 87 68 DF ...........Y..h.
> 0010: 39 FA 7D 9A 7B 7A 1E 6E 3A A3 8E D7 29 E6 A4 60 9....z.n:...)..`
> 0020: 21 CE 44 54 D8 BF 95 0C 4F 5E 8F 00 00 3A C0 23 !.DT....O^...:.#
> 0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
> 0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..
> 0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............
> 0060: C0 0D 00 16 00 13 00 FF 01 00 00 5F 00 0A 00 16 ..........._....
> 0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................
> 0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 16 ................
> 0090: 00 14 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
> 00A0: 02 03 02 01 02 02 00 00 00 21 00 1F 00 00 1C 6A .........!.....j
> 00B0: 73 6F 6E 70 6C 61 63 65 68 6F 6C 64 65 72 2E 74 sonplaceholder.t
> 00C0: 79 70 69 63 6F 64 65 2E 63 6F 6D ypicode.com
> [Raw read]: length = 5
> 0000: 16 03 03 00 5B ....[
> [Raw read]: length = 91
> 0000: 02 00 00 57 03 03 59 A7 87 68 0C 1A D3 15 C5 F5 ...W..Y..h......
> 0010: 11 F2 26 9B 0B 61 99 90 4F 45 F3 CA B0 54 90 B0 ..&..a..OE...T..
> 0020: 34 87 B6 1D 93 FA 20 24 C7 1D BA C2 8B C8 3C 33 4..... $......<3
> 0030: 4F 76 CB C5 DE C3 A4 FF F5 6A 6A D8 65 CD 46 81 Ov.......jj.e.F.
> 0040: 39 EC D7 3F 7F 84 D9 C0 2B 00 00 0F FF 01 00 01 9..?....+.......
> 0050: 00 00 00 00 00 00 0B 00 02 01 00 ...........
> main, READ: TLSv1.2 Handshake, length = 91
> *** ServerHello, TLSv1.2
> RandomCookie: GMT: 1487308648 bytes = { 12, 26, 211, 21, 197, 245, 17, 242, 38, 155, 11, 97, 153, 144, 79, 69, 243, 202, 176, 84, 144, 176, 52, 135, 182, 29, 147, 250 }
> Session ID: {36, 199, 29, 186, 194, 139, 200, 60, 51, 79, 118, 203, 197, 222, 195, 164, 255, 245, 106, 106, 216, 101, 205, 70, 129, 57, 236, 215, 63, 127, 132, 217}
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> Compression Method: 0
> Extension renegotiation_info, renegotiated_connection: <empty>
> Extension server_name, server_name:
> Extension ec_point_formats, formats: [uncompressed]
> ***
> %% Initialized: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
> ** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> Why doesn't HttpCore include these extra bits?
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org