You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Stefan Wachter <St...@gmx.de> on 2009/12/01 11:06:51 UTC
Re: implementation of a custom HttpRoutePlanner - how to choose the
HttpRoute attributes (secure, tunnel type, and layer type)?
Hi Oleg,
I am sorry for bothering you. I think I understand now. In order to have
an https connection to a target host via a proxy the proxy is accessed
by http marking the route as being secure, tunneled, and layered. Thank
your for making this clear to me.
This leaves me with the SSLPeerUnverifiedException. I switched on SSL
debugging by setting "-Djavax.net.debug=all". From the log it seems that
the problem is caused by the certificate that the proxy server uses. In
a former post you asked if the CONNECT succeedes. As far as I can
interpret the log it seems that the CONNECT fails. The target host I
want to reach (https://www.gmx.net) does not appear in the log at all.
I do not understand why the certificate of the proxy does matter. After
all the connection to the proxy should be done by http.
(BTW: If I use the proxy by a browser I can access the target host
https://www.gmx.net.)
Please give me some more insight!
Cheers,
--Stefan
PS: Here is the SSL log. I omitted the first lines where lots of trusted
certificates are added.
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1259594434 bytes = { 144, 54, 189, 212, 62, 102,
138, 185, 38, 230, 7, 52, 13, 207, 145, 184, 13, 57, 218, 226, 136, 55,
186, 251, 156, 165, 39, 22 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 4B 14 E3 C2 90 36 BD D4 3E 66 ...E..K....6..>f
0010: 8A B9 26 E6 07 34 0D CF 91 B8 0D 39 DA E2 88 37 ..&..4.....9...7
0020: BA FB 9C A5 27 16 00 00 1E 00 04 00 05 00 2F 00 ....'........./.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
main, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 4B 14 E3 C2 90 36 BD D4 3E 66 8A B9 26 E6 ..K....6..>f..&.
0050: 07 34 0D CF 91 B8 0D 39 DA E2 88 37 BA FB 9C A5 .4.....9...7....
0060: 27 16 '.
main, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
0000: 80 62 01 03 01 00 39 00 00 00 20 00 00 04 01 00 .b....9... .....
0010: 80 00 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A ....../..3..2...
0020: 07 00 C0 00 00 16 00 00 13 00 00 09 06 00 40 00 ..............@.
0030: 00 15 00 00 12 00 00 03 02 00 80 00 00 08 00 00 ................
0040: 14 00 00 11 4B 14 E3 C2 90 36 BD D4 3E 66 8A B9 ....K....6..>f..
0050: 26 E6 07 34 0D CF 91 B8 0D 39 DA E2 88 37 BA FB &..4.....9...7..
0060: 9C A5 27 16 ..'.
[Raw read]: length = 5
0000: 16 03 01 04 83 .....
[Raw read]: length = 1155
0000: 02 00 00 46 03 01 4B 14 E3 C2 F3 E4 D8 B2 48 6E ...F..K.......Hn
0010: 51 05 23 76 2F 55 5C C5 52 68 83 E6 A4 F4 5D 54 Q.#v/U\.Rh....]T
0020: 25 7E 0B 81 43 5C 20 4B 14 E3 C2 AB 2C B9 71 CE %...C\ K....,.q.
0030: 7F 91 71 7C 34 6B 54 33 F2 CE 72 58 6C 16 78 DE ..q.4kT3..rXl.x.
0040: A7 14 AE 3F D5 16 A9 00 04 00 0B 00 04 31 00 04 ...?.........1..
0050: 2E 00 04 2B 30 82 04 27 30 82 03 90 A0 03 02 01 ...+0..'0.......
0060: 02 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 ....0...*.H.....
0070: 05 05 00 30 81 C4 31 0B 30 09 06 03 55 04 06 13 ...0..1.0...U...
0080: 02 5A 41 31 10 30 0E 06 03 55 04 08 13 07 47 61 .ZA1.0...U....Ga
0090: 75 74 65 6E 67 31 15 30 13 06 03 55 04 07 13 0C uteng1.0...U....
00A0: 4A 6F 68 61 6E 6E 65 73 62 75 72 67 31 2E 30 2C Johannesburg1.0,
00B0: 06 03 55 04 0A 13 25 4F 70 65 6E 20 57 65 62 20 ..U...%Open Web
00C0: 41 70 70 6C 69 63 61 74 69 6F 6E 20 53 65 63 75 Application Secu
00D0: 72 69 74 79 20 50 72 6F 6A 65 63 74 31 12 30 10 rity Project1.0.
00E0: 06 03 55 04 0B 13 09 57 65 62 53 63 61 72 61 62 ..U....WebScarab
00F0: 31 12 30 10 06 03 55 04 03 13 09 57 65 62 53 63 1.0...U....WebSc
0100: 61 72 61 62 31 34 30 32 06 09 2A 86 48 86 F7 0D arab1402..*.H...
0110: 01 09 01 16 25 6F 77 61 73 70 2D 77 65 62 73 63 ....%owasp-websc
0120: 61 72 61 62 40 6C 69 73 74 73 2E 73 6F 75 72 63 arab@lists.sourc
0130: 65 66 6F 72 67 65 2E 6E 65 74 30 1E 17 0D 30 34 eforge.net0...04
0140: 30 34 30 31 31 32 34 35 35 39 5A 17 0D 31 34 30 0401124559Z..140
0150: 33 33 30 31 32 34 35 35 39 5A 30 81 C4 31 0B 30 330124559Z0..1.0
0160: 09 06 03 55 04 06 13 02 5A 41 31 10 30 0E 06 03 ...U....ZA1.0...
0170: 55 04 08 13 07 47 61 75 74 65 6E 67 31 15 30 13 U....Gauteng1.0.
0180: 06 03 55 04 07 13 0C 4A 6F 68 61 6E 6E 65 73 62 ..U....Johannesb
0190: 75 72 67 31 2E 30 2C 06 03 55 04 0A 13 25 4F 70 urg1.0,..U...%Op
01A0: 65 6E 20 57 65 62 20 41 70 70 6C 69 63 61 74 69 en Web Applicati
01B0: 6F 6E 20 53 65 63 75 72 69 74 79 20 50 72 6F 6A on Security Proj
01C0: 65 63 74 31 12 30 10 06 03 55 04 0B 13 09 57 65 ect1.0...U....We
01D0: 62 53 63 61 72 61 62 31 12 30 10 06 03 55 04 03 bScarab1.0...U..
01E0: 13 09 57 65 62 53 63 61 72 61 62 31 34 30 32 06 ..WebScarab1402.
01F0: 09 2A 86 48 86 F7 0D 01 09 01 16 25 6F 77 61 73 .*.H.......%owas
0200: 70 2D 77 65 62 73 63 61 72 61 62 40 6C 69 73 74 p-webscarab@list
0210: 73 2E 73 6F 75 72 63 65 66 6F 72 67 65 2E 6E 65 s.sourceforge.ne
0220: 74 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 t0..0...*.H.....
0230: 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 DC 31 .......0.......1
0240: 1C 1A 40 A4 06 BF 67 5E 53 63 84 F6 4B CE 26 F5 ..@...g^Sc..K.&.
0250: B4 4F 8D 26 B2 A7 C0 80 DB 7F 3F AF 33 DF 8A 2F .O.&......?.3../
0260: F7 E6 D7 B0 37 2A 0B 73 15 7C 7B D4 11 BA 2B 0A ....7*.s......+.
0270: 54 64 13 8B F5 A9 7F 6D 9E B4 5D 7E 6A 31 BF 2C Td.....m..].j1.,
0280: DC E6 C1 92 A9 C4 EF 5E FB 7D B0 CF 8A C6 A7 FB .......^........
0290: C7 B4 E1 26 62 A3 4C C5 C2 78 29 1F AC 44 C2 98 ...&b.L..x)..D..
02A0: 34 00 08 FC C1 5D D2 22 42 AA E4 1E 7B 03 25 4F 4....]."B.....%O
02B0: FA EA 2D DF 7C C6 1B C2 F6 E3 EB C5 7F FD 02 03 ..-.............
02C0: 01 00 01 A3 82 01 25 30 82 01 21 30 1D 06 03 55 ......%0..!0...U
02D0: 1D 0E 04 16 04 14 C5 2E DC 77 1B 2D 4B A5 C9 F7 .........w.-K...
02E0: 79 E9 26 38 5C D2 3B C5 46 88 30 81 F1 06 03 55 y.&8\.;.F.0....U
02F0: 1D 23 04 81 E9 30 81 E6 80 14 C5 2E DC 77 1B 2D .#...0.......w.-
0300: 4B A5 C9 F7 79 E9 26 38 5C D2 3B C5 46 88 A1 81 K...y.&8\.;.F...
0310: CA A4 81 C7 30 81 C4 31 0B 30 09 06 03 55 04 06 ....0..1.0...U..
0320: 13 02 5A 41 31 10 30 0E 06 03 55 04 08 13 07 47 ..ZA1.0...U....G
0330: 61 75 74 65 6E 67 31 15 30 13 06 03 55 04 07 13 auteng1.0...U...
0340: 0C 4A 6F 68 61 6E 6E 65 73 62 75 72 67 31 2E 30 .Johannesburg1.0
0350: 2C 06 03 55 04 0A 13 25 4F 70 65 6E 20 57 65 62 ,..U...%Open Web
0360: 20 41 70 70 6C 69 63 61 74 69 6F 6E 20 53 65 63 Application Sec
0370: 75 72 69 74 79 20 50 72 6F 6A 65 63 74 31 12 30 urity Project1.0
0380: 10 06 03 55 04 0B 13 09 57 65 62 53 63 61 72 61 ...U....WebScara
0390: 62 31 12 30 10 06 03 55 04 03 13 09 57 65 62 53 b1.0...U....WebS
03A0: 63 61 72 61 62 31 34 30 32 06 09 2A 86 48 86 F7 carab1402..*.H..
03B0: 0D 01 09 01 16 25 6F 77 61 73 70 2D 77 65 62 73 .....%owasp-webs
03C0: 63 61 72 61 62 40 6C 69 73 74 73 2E 73 6F 75 72 carab@lists.sour
03D0: 63 65 66 6F 72 67 65 2E 6E 65 74 82 01 00 30 0C ceforge.net...0.
03E0: 06 03 55 1D 13 04 05 30 03 01 01 FF 30 0D 06 09 ..U....0....0...
03F0: 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 90 *.H.............
0400: 7B 76 CF 64 A1 45 DF FC A7 64 F7 1E 7F E9 A7 B0 .v.d.E...d......
0410: EF 3D 3C A2 41 8B 92 9C BA C4 E6 7B 1F B1 3D 13 .=<.A.........=.
0420: 07 7B F4 A5 1E BC C9 96 9A D2 13 2D D4 7D 8F CB ...........-....
0430: D9 08 E9 83 E7 90 00 E7 F5 3E 70 3A BD 57 4D AB .........>p:.WM.
0440: 00 AC E1 CE 85 58 3B 5B 73 56 E8 B6 29 BE 99 E5 .....X;[sV..)...
0450: 91 65 67 B3 20 3A 9F D4 53 A1 D0 43 C6 97 62 BF .eg. :..S..C..b.
0460: D4 1A 0B 92 45 FC 04 A1 1F 79 2F F2 90 35 DA 80 ....E....y/..5..
0470: DE FE 10 B9 68 B8 70 3E DB F7 12 01 CB D3 64 0E ....h.p>......d.
0480: 00 00 00 ...
main, READ: TLSv1 Handshake, length = 1155
*** ServerHello, TLSv1
RandomCookie: GMT: 1259594434 bytes = { 243, 228, 216, 178, 72, 110,
81, 5, 35, 118, 47, 85, 92, 197, 82, 104, 131, 230, 164, 244, 93, 84,
37, 126, 11, 129, 67, 92 }
Session ID: {75, 20, 227, 194, 171, 44, 185, 113, 206, 127, 145, 113,
124, 52, 107, 84, 51, 242, 206, 114, 88, 108, 22, 120, 222, 167, 20,
174, 63, 213, 22, 169}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 4B 14 E3 C2 F3 E4 D8 B2 48 6E ...F..K.......Hn
0010: 51 05 23 76 2F 55 5C C5 52 68 83 E6 A4 F4 5D 54 Q.#v/U\.Rh....]T
0020: 25 7E 0B 81 43 5C 20 4B 14 E3 C2 AB 2C B9 71 CE %...C\ K....,.q.
0030: 7F 91 71 7C 34 6B 54 33 F2 CE 72 58 6C 16 78 DE ..q.4kT3..rXl.x.
0040: A7 14 AE 3F D5 16 A9 00 04 00 ...?......
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
L=Johannesburg, ST=Gauteng, C=ZA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
154623964938145369797219612839395417706134608433089443549809415871369366723673817041648156759869165956480706191296755342245066633311162904277499876116164772710364652941103434840470861083851860427495958630646686012271912459851197852364216947956958537100938424770176632556183958666972394630932757389391348203517
public exponent: 65537
Validity: [From: Thu Apr 01 14:45:59 CEST 2004,
To: Sun Mar 30 14:45:59 CEST 2014]
Issuer: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
L=Johannesburg, ST=Gauteng, C=ZA
SerialNumber: [ 00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C5 2E DC 77 1B 2D 4B A5 C9 F7 79 E9 26 38 5C D2 ...w.-K...y.&8\.
0010: 3B C5 46 88 ;.F.
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5 2E DC 77 1B 2D 4B A5 C9 F7 79 E9 26 38 5C D2 ...w.-K...y.&8\.
0010: 3B C5 46 88 ;.F.
]
[EMAILADDRESS=owasp-webscarab@lists.sourceforge.net, CN=WebScarab,
OU=WebScarab, O=Open Web Application Security Project, L=Johannesburg,
ST=Gauteng, C=ZA]
SerialNumber: [ 00]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 90 7B 76 CF 64 A1 45 DF FC A7 64 F7 1E 7F E9 A7 ..v.d.E...d.....
0010: B0 EF 3D 3C A2 41 8B 92 9C BA C4 E6 7B 1F B1 3D ..=<.A.........=
0020: 13 07 7B F4 A5 1E BC C9 96 9A D2 13 2D D4 7D 8F ............-...
0030: CB D9 08 E9 83 E7 90 00 E7 F5 3E 70 3A BD 57 4D ..........>p:.WM
0040: AB 00 AC E1 CE 85 58 3B 5B 73 56 E8 B6 29 BE 99 ......X;[sV..)..
0050: E5 91 65 67 B3 20 3A 9F D4 53 A1 D0 43 C6 97 62 ..eg. :..S..C..b
0060: BF D4 1A 0B 92 45 FC 04 A1 1F 79 2F F2 90 35 DA .....E....y/..5.
0070: 80 DE FE 10 B9 68 B8 70 3E DB F7 12 01 CB D3 64 .....h.p>......d
]
***
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
main, IOException in getSession(): javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at
org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:167)
at
org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:275)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:122)
at
org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:668)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:385)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at httpclienttest.Main.main(Main.java:57)
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: implementation of a custom HttpRoutePlanner - how to choose the
HttpRoute attributes (secure, tunnel type, and layer type)?
Posted by Stefan Wachter <St...@gmx.de>.
Hi Oleg,
the https access via a proxy does work now! You were right, my proxy
itercepted the ssl traffic and used an untrusted certificate.
Many thanks for your patient help!
Cheers,
--Stefan
Am 01.12.2009 21:37, schrieb Oleg Kalnichevski:
> Stefan Wachter wrote:
>> Hi Oleg,
>>
>> I am sorry for bothering you. I think I understand now. In order to have
>> an https connection to a target host via a proxy the proxy is accessed
>> by http marking the route as being secure, tunneled, and layered. Thank
>> your for making this clear to me.
>>
>> This leaves me with the SSLPeerUnverifiedException. I switched on SSL
>> debugging by setting "-Djavax.net.debug=all". From the log it seems that
>> the problem is caused by the certificate that the proxy server uses. In
>> a former post you asked if the CONNECT succeedes. As far as I can
>> interpret the log it seems that the CONNECT fails.
>
> Post the log
>
> The target host I
>> want to reach (https://www.gmx.net) does not appear in the log at all.
>>
>> I do not understand why the certificate of the proxy does matter. After
>> all the connection to the proxy should be done by http.
>>
>
> It is very likely that the proxy inserts itself as a man-in-the-middle
> by intercepting and rewriting SSL packets.
>
>
>> (BTW: If I use the proxy by a browser I can access the target host
>> https://www.gmx.net.)
>>
>> Please give me some more insight!
>>
>> Cheers,
>> --Stefan
>>
>> *** Certificate chain
>> chain [0] = [
>> [
>> Version: V3
>> Subject: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
>> CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
>> L=Johannesburg, ST=Gauteng, C=ZA
>> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
>>
>
> Is this certificate trusted? I am pretty sure it is not trusted by JRE
> per default.
>
>
>> Key: Sun RSA public key, 1024 bits
>> modulus:
>> 154623964938145369797219612839395417706134608433089443549809415871369366723673817041648156759869165956480706191296755342245066633311162904277499876116164772710364652941103434840470861083851860427495958630646686012271912459851197852364216947956958537100938424770176632556183958666972394630932757389391348203517
>>
>> public exponent: 65537
>> Validity: [From: Thu Apr 01 14:45:59 CEST 2004,
>> To: Sun Mar 30 14:45:59 CEST 2014]
>> Issuer: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
>> CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
>> L=Johannesburg, ST=Gauteng, C=ZA
>> SerialNumber: [ 00]
>>
>> Certificate Extensions: 3
>> [1]: ObjectId: 2.5.29.14 Criticality=false
>> SubjectKeyIdentifier [
>> KeyIdentifier [
>> 0000: C5 2E DC 77 1B 2D 4B A5 C9 F7 79 E9 26 38 5C D2
>> ...w.-K...y.&8\.
>> 0010: 3B C5 46 88 ;.F.
>> ]
>> ]
>>
>> [2]: ObjectId: 2.5.29.35 Criticality=false
>> AuthorityKeyIdentifier [
>> KeyIdentifier [
>> 0000: C5 2E DC 77 1B 2D 4B A5 C9 F7 79 E9 26 38 5C D2
>> ...w.-K...y.&8\.
>> 0010: 3B C5 46 88 ;.F.
>> ]
>>
>> [EMAILADDRESS=owasp-webscarab@lists.sourceforge.net, CN=WebScarab,
>> OU=WebScarab, O=Open Web Application Security Project, L=Johannesburg,
>> ST=Gauteng, C=ZA]
>> SerialNumber: [ 00]
>> ]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: implementation of a custom HttpRoutePlanner - how to choose the
HttpRoute attributes (secure, tunnel type, and layer type)?
Posted by Oleg Kalnichevski <ol...@apache.org>.
Stefan Wachter wrote:
> Hi Oleg,
>
> I am sorry for bothering you. I think I understand now. In order to have
> an https connection to a target host via a proxy the proxy is accessed
> by http marking the route as being secure, tunneled, and layered. Thank
> your for making this clear to me.
>
> This leaves me with the SSLPeerUnverifiedException. I switched on SSL
> debugging by setting "-Djavax.net.debug=all". From the log it seems that
> the problem is caused by the certificate that the proxy server uses. In
> a former post you asked if the CONNECT succeedes. As far as I can
> interpret the log it seems that the CONNECT fails.
Post the log
The target host I
> want to reach (https://www.gmx.net) does not appear in the log at all.
>
> I do not understand why the certificate of the proxy does matter. After
> all the connection to the proxy should be done by http.
>
It is very likely that the proxy inserts itself as a man-in-the-middle
by intercepting and rewriting SSL packets.
> (BTW: If I use the proxy by a browser I can access the target host
> https://www.gmx.net.)
>
> Please give me some more insight!
>
> Cheers,
> --Stefan
>
> *** Certificate chain
> chain [0] = [
> [
> Version: V3
> Subject: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
> CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
> L=Johannesburg, ST=Gauteng, C=ZA
> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
>
Is this certificate trusted? I am pretty sure it is not trusted by JRE
per default.
> Key: Sun RSA public key, 1024 bits
> modulus:
> 154623964938145369797219612839395417706134608433089443549809415871369366723673817041648156759869165956480706191296755342245066633311162904277499876116164772710364652941103434840470861083851860427495958630646686012271912459851197852364216947956958537100938424770176632556183958666972394630932757389391348203517
> public exponent: 65537
> Validity: [From: Thu Apr 01 14:45:59 CEST 2004,
> To: Sun Mar 30 14:45:59 CEST 2014]
> Issuer: EMAILADDRESS=owasp-webscarab@lists.sourceforge.net,
> CN=WebScarab, OU=WebScarab, O=Open Web Application Security Project,
> L=Johannesburg, ST=Gauteng, C=ZA
> SerialNumber: [ 00]
>
> Certificate Extensions: 3
> [1]: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: C5 2E DC 77 1B 2D 4B A5 C9 F7 79 E9 26 38 5C D2 ...w.-K...y.&8\.
> 0010: 3B C5 46 88 ;.F.
> ]
> ]
>
> [2]: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: C5 2E DC 77 1B 2D 4B A5 C9 F7 79 E9 26 38 5C D2 ...w.-K...y.&8\.
> 0010: 3B C5 46 88 ;.F.
> ]
>
> [EMAILADDRESS=owasp-webscarab@lists.sourceforge.net, CN=WebScarab,
> OU=WebScarab, O=Open Web Application Security Project, L=Johannesburg,
> ST=Gauteng, C=ZA]
> SerialNumber: [ 00]
> ]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org