You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2003/05/21 03:46:41 UTC

DO NOT REPLY [Bug 20089] New: - Authentication fails with proxied SSL Connections

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20089>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20089

Authentication fails with proxied SSL Connections

           Summary: Authentication fails with proxied SSL Connections
           Product: Commons
           Version: Nightly Builds
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: HttpClient
        AssignedTo: commons-httpclient-dev@jakarta.apache.org
        ReportedBy: adrian@ephox.com


When connecting through a proxy, using SSL and authentication HttpClient winds 
up sending a GET request to the proxy after the initial auth required response, 
the proxy then obviously responds with a not implemented response since it 
can't handle a GET request to an SSL URL.  In essence the following is 
happening:

1. HttpClient sends Connect response.
2. Proxy responds 200 Connect OK
3. HttpClient uses SSL connection to send the request to the web server.
4. Web server responds with not authorized and closes the connection.
5. HttpClient opens a new connection to the proxy and issues a GET request for 
the SSL URL.
6. Proxy returns 501 not implemented.

I'll attach a full log to this bug.

This is likely to be hard to fix since the retry is performed in HttpMethodBase 
but the Connect method is executed by HttpClient so a fix for this may be best 
waiting for 2.1.  This looks very similar to bug 19226 except that that bug is 
marked as fixed and this one still doesn't work, this also applies to 
authentication schemes other than NTLM (testing NTLM and basic).

My best evaluation is that the web server returns Connection: close when it 
rejects the authorization attempt and then HttpMethodBase is incapable of 
creating a new SSL connection through the proxy.  The only thing I can think of 
that could be done prior to 2.1 to fix this is to send a Connection: keep-alive 
as well as the Proxy-Connection: Keep-Alive we're already sending with the 
original request.