You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Michael Schaefer <as...@spamblock.netzgehirn.de> on 2005/11/03 13:59:09 UTC
ProxyCredentials disclosed to remote host
Hi,
I'm using httpclient (svn-trunk of today) to connect to a remote SSL-Host
via a proxy. The proxy requires authorization (basic) and I want to use
preemptive authorization.
Since Bug 37197 is fixed the preemptive authorization works, but my traces
show that the proxy credentials are also transmitted to the remote host
through the CONNECT-tunnel, thus disclosing sensitive information to the
remote host.
My code looks like this:
HttpClient client = new HttpClient();
HttpMethod method = new GetMethod("https://test");
client.getHostConfiguration().setProxy("127.0.0.1",3128);
client.getState().setProxyCredentials(
new AuthScope("127.0.0.1", 3128),
new UsernamePasswordCredentials("proxy", "test"));
client.getState().setAuthenticationPreemptive(true);
client.executeMethod(method);
The trace:
2005/11/03 13:53:13:244 CET [DEBUG] HttpMethodDirector - Preemptively
sending default basic credentials
2005/11/03 13:53:13:261 CET [DEBUG] HttpMethodDirector - Authenticating
with BASIC <any realm>@127.0.0.1:3128
2005/11/03 13:53:13:262 CET [DEBUG] HttpMethodParams - Credential charset
not configured, using HTTP element charset
2005/11/03 13:53:13:266 CET [DEBUG] HttpMethodDirector - Authenticating
with BASIC <any realm>@test:443
2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Required
credentials not available for BASIC <any realm>@test:443
2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Preemptive
authentication requested but no default credentials available
2005/11/03 13:53:13:268 CET [DEBUG] HttpConnection - Open connection to
127.0.0.1:3128
2005/11/03 13:53:13:279 CET [DEBUG] HttpMethodDirector - Preemptively
sending default basic credentials
2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodDirector - Authenticating
with BASIC <any realm>@127.0.0.1:3128
2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodParams - Credential charset
not configured, using HTTP element charset
2005/11/03 13:53:13:283 CET [DEBUG] header - >> "CONNECT test:443 HTTP/1.1"
2005/11/03 13:53:13:284 CET [DEBUG] HttpMethodBase - Adding Host request
header
2005/11/03 13:53:13:284 CET [DEBUG] header - >> "Proxy-Authorization:
Basic cHJveHk6dGVzdA==[\r][\n]"
2005/11/03 13:53:13:285 CET [DEBUG] header - >> "User-Agent: Jakarta
Commons-HttpClient/3.0-rc4[\r][\n]"
2005/11/03 13:53:13:285 CET [DEBUG] header - >> "Host: test[\r][\n]"
2005/11/03 13:53:13:286 CET [DEBUG] header - >> "Proxy-Connection:
Keep-Alive[\r][\n]"
2005/11/03 13:53:13:286 CET [DEBUG] header - >> "[\r][\n]"
2005/11/03 13:53:13:311 CET [DEBUG] header - << "HTTP/1.0 200
Connection established[\r][\n]"
2005/11/03 13:53:13:326 CET [DEBUG]
ConnectMethod - CONNECT status code 200
2005/11/03 13:53:13:327 CET [DEBUG] HttpConnection - Secure tunnel to
test:443
2005/11/03 13:53:13:418 CET [DEBUG] header - >> "GET / HTTP/1.1[\r][\n]"
2005/11/03 13:53:13:420 CET [DEBUG] HttpMethodBase - Adding Host request
header
2005/11/03 13:53:13:423 CET [DEBUG] header - >> "Proxy-Authorization:
Basic cHJveHk6dGVzdA==[\r][\n]"
2005/11/03 13:53:13:424 CET [DEBUG] header - >> "User-Agent: Jakarta
Commons-HttpClient/3.0-rc4[\r][\n]"
2005/11/03 13:53:13:425 CET [DEBUG] header - >> "Host: test[\r][\n]"
2005/11/03 13:53:13:425 CET [DEBUG] header - >> "[\r][\n]"
2005/11/03 13:53:14:391 CET [DEBUG] header - << "HTTP/1.1 200 OK[\r][\n]"
As you can see the proxy credentials are also transmitted through the
SSL-tunnel to the remote host which is a security risk.
Is this a bug in httpclient or am I using it incorrectly?
How can I prevent the transmission of the credentials to the remote host?
best wishes,
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: ProxyCredentials disclosed to remote host
Posted by Michael Schaefer <as...@spamblock.netzgehirn.de>.
On Thursday 03 November 2005 21:21, Oleg Kalnichevski wrote:
> Folks,
Hi,
> I overreacted. This bug is NOT a release blocker and will not delay the
> final release of HttpClient 3.0.
>
> The bug does not affect any of the official releases of HttpClient. It
> only affects a few nightly builds and ONLY when the preemptive
> authentication is used, which is a really bad idea from the security
> standpoint.
Is there an other way than preemptive autentication to work around the problem
with Squid 2.4 mentioned in Bug 37197 [1]?
The Squid 2.4 problem was the reason why I had to enable preemptive
authentication.
[1] http://issues.apache.org/bugzilla/show_bug.cgi?id=37197
best wishes,
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: ProxyCredentials disclosed to remote host
Posted by Oleg Kalnichevski <ol...@apache.org>.
Folks,
I overreacted. This bug is NOT a release blocker and will not delay the
final release of HttpClient 3.0.
The bug does not affect any of the official releases of HttpClient. It
only affects a few nightly builds and ONLY when the preemptive
authentication is used, which is a really bad idea from the security
standpoint.
For details see:
http://issues.apache.org/bugzilla/show_bug.cgi?id=37345
Oleg
On Thu, 2005-11-03 at 14:24 +0100, Michael Schaefer wrote:
> > On Thu, Nov 03, 2005 at 01:59:09PM +0100, Michael Schaefer wrote:
>
> >> Hi,
>
> [...]
> >> show that the proxy credentials are also transmitted to the remote host
> >> through the CONNECT-tunnel, thus disclosing sensitive information to the
> >> remote host.
>
> > Michael,
> > Please file a bug report. This is a critical bug and a release blocker
>
> Filed as Bug 37345.
> http://issues.apache.org/bugzilla/show_bug.cgi?id=37345
>
> best wishes,
> Michael
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: ProxyCredentials disclosed to remote host
Posted by Michael Schaefer <as...@spamblock.netzgehirn.de>.
> On Thu, Nov 03, 2005 at 01:59:09PM +0100, Michael Schaefer wrote:
>> Hi,
[...]
>> show that the proxy credentials are also transmitted to the remote host
>> through the CONNECT-tunnel, thus disclosing sensitive information to the
>> remote host.
> Michael,
> Please file a bug report. This is a critical bug and a release blocker
Filed as Bug 37345.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37345
best wishes,
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: ProxyCredentials disclosed to remote host
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, Nov 03, 2005 at 01:59:09PM +0100, Michael Schaefer wrote:
>
> Hi,
>
> I'm using httpclient (svn-trunk of today) to connect to a remote SSL-Host
> via a proxy. The proxy requires authorization (basic) and I want to use
> preemptive authorization.
>
> Since Bug 37197 is fixed the preemptive authorization works, but my traces
> show that the proxy credentials are also transmitted to the remote host
> through the CONNECT-tunnel, thus disclosing sensitive information to the
> remote host.
>
> My code looks like this:
>
> HttpClient client = new HttpClient();
> HttpMethod method = new GetMethod("https://test");
>
> client.getHostConfiguration().setProxy("127.0.0.1",3128);
> client.getState().setProxyCredentials(
> new AuthScope("127.0.0.1", 3128),
> new UsernamePasswordCredentials("proxy", "test"));
> client.getState().setAuthenticationPreemptive(true);
> client.executeMethod(method);
>
> The trace:
>
> 2005/11/03 13:53:13:244 CET [DEBUG] HttpMethodDirector - Preemptively
> sending default basic credentials
> 2005/11/03 13:53:13:261 CET [DEBUG] HttpMethodDirector - Authenticating
> with BASIC <any realm>@127.0.0.1:3128
> 2005/11/03 13:53:13:262 CET [DEBUG] HttpMethodParams - Credential charset
> not configured, using HTTP element charset
> 2005/11/03 13:53:13:266 CET [DEBUG] HttpMethodDirector - Authenticating
> with BASIC <any realm>@test:443
> 2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Required
> credentials not available for BASIC <any realm>@test:443
> 2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Preemptive
> authentication requested but no default credentials available
> 2005/11/03 13:53:13:268 CET [DEBUG] HttpConnection - Open connection to
> 127.0.0.1:3128
> 2005/11/03 13:53:13:279 CET [DEBUG] HttpMethodDirector - Preemptively
> sending default basic credentials
> 2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodDirector - Authenticating
> with BASIC <any realm>@127.0.0.1:3128
> 2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodParams - Credential charset
> not configured, using HTTP element charset
> 2005/11/03 13:53:13:283 CET [DEBUG] header - >> "CONNECT test:443 HTTP/1.1"
> 2005/11/03 13:53:13:284 CET [DEBUG] HttpMethodBase - Adding Host request
> header
> 2005/11/03 13:53:13:284 CET [DEBUG] header - >> "Proxy-Authorization:
> Basic cHJveHk6dGVzdA==[\r][\n]"
> 2005/11/03 13:53:13:285 CET [DEBUG] header - >> "User-Agent: Jakarta
> Commons-HttpClient/3.0-rc4[\r][\n]"
> 2005/11/03 13:53:13:285 CET [DEBUG] header - >> "Host: test[\r][\n]"
>
> 2005/11/03 13:53:13:286 CET [DEBUG] header - >> "Proxy-Connection:
> Keep-Alive[\r][\n]"
> 2005/11/03 13:53:13:286 CET [DEBUG] header - >> "[\r][\n]"
>
> 2005/11/03 13:53:13:311 CET [DEBUG] header - << "HTTP/1.0 200
> Connection established[\r][\n]"
> 2005/11/03 13:53:13:326 CET [DEBUG]
> ConnectMethod - CONNECT status code 200
> 2005/11/03 13:53:13:327 CET [DEBUG] HttpConnection - Secure tunnel to
> test:443
> 2005/11/03 13:53:13:418 CET [DEBUG] header - >> "GET / HTTP/1.1[\r][\n]"
> 2005/11/03 13:53:13:420 CET [DEBUG] HttpMethodBase - Adding Host request
> header
> 2005/11/03 13:53:13:423 CET [DEBUG] header - >> "Proxy-Authorization:
> Basic cHJveHk6dGVzdA==[\r][\n]"
> 2005/11/03 13:53:13:424 CET [DEBUG] header - >> "User-Agent: Jakarta
> Commons-HttpClient/3.0-rc4[\r][\n]"
> 2005/11/03 13:53:13:425 CET [DEBUG] header - >> "Host: test[\r][\n]"
> 2005/11/03 13:53:13:425 CET [DEBUG] header - >> "[\r][\n]"
> 2005/11/03 13:53:14:391 CET [DEBUG] header - << "HTTP/1.1 200 OK[\r][\n]"
>
> As you can see the proxy credentials are also transmitted through the
> SSL-tunnel to the remote host which is a security risk.
>
> Is this a bug in httpclient or am I using it incorrectly?
> How can I prevent the transmission of the credentials to the remote host?
>
> best wishes,
> Michael
>
Michael,
Please file a bug report. This is a critical bug and a release blocker
Oleg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org