[ https://issues.apache.org/jira/browse/HTTPCORE-487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16149045#comment-16149045 ]
ASF subversion and git services commented on HTTPCORE-487: ---------------------------------------------------------- Commit f12e09eb3cd3cc5dd45b2fcf4f3f81c03eb9d20b in httpcomponents-core's branch refs/heads/4.4.x from [~olegk] [ https://git-wip-us.apache.org/repos/asf?p=httpcomponents-core.git;h=f12e09e ] [HTTPCORE-487] org.apache.http.nio.reactor.ssl.SSLIOSession and SSLNHttpClientConnectionFactory do not always use the HTTP host setting. > org.apache.http.nio.reactor.ssl.SSLIOSession and > SSLNHttpClientConnectionFactory do not always use the HTTP host setting > ------------------------------------------------------------------------------------------------------------------------ > > Key: HTTPCORE-487 > URL: https://issues.apache.org/jira/browse/HTTPCORE-487 > Project: HttpComponents HttpCore > Issue Type: Bug > Components: HttpCore NIO > Affects Versions: 4.4.6 > Reporter: Gary Gregory > Priority: Blocker > Attachments: httpcomponents-core-4.4.x.patch > > > org.apache.http.nio.reactor.ssl.SSLIOSession does not always account for its > host setting. > Patch forthcoming. > This shows up in the example {{NHttpReverseProxy}} app. > From the dev ML where I wrote: > {noformat} > HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure > Inbox > x > Gary Gregory <garydgreg...@gmail.com> > 2:57 PM (7 hours ago) > to HttpComponents > Hi All: > To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our > example NHttpReverseProxy with the command line arguments: > https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy > (with or without TrustSelfSignedStrategy) > Then I get a handshake_failure trying to access it: > $ curl http://localhost:33000/posts > % Total % Received % Xferd Average Speed Time Time Time > Current > Dload Upload Total Spent Left Speed > 100 39 100 39 0 0 39 0 0:00:01 --:--:-- 0:00:01 > 207Received fatal alert: handshake_failure > NHttpReverseProxy prints: > Using TrustSelfSignedStrategy (not for production) > Reverse proxy to https://jsonplaceholder.typicode.com:443 > [client->proxy] connection open 0:0:0:0:0:0:0:1:33000<->0:0:0:0:0:0:0:1:55252 > [client->proxy] 00000001 GET /posts HTTP/1.1 > [client->proxy] 00000001 request completed > [proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443 > [proxy->origin] 00000001 GET /posts HTTP/1.1 > [proxy->origin] 00000001 request completed > [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: > handshake_failure > [proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443 > [proxy->origin] [total kept alive: 0; total allocated: 0 of 100] > [proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443 > [client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252 > HttpClient works fine with: > public class HttpsClientSanityTest { > private void executeHttpsGetPosts(final CloseableHttpClient client) > throws IOException, ClientProtocolException { > try (final CloseableHttpResponse reponse = client.execute(new > HttpGet("https://jsonplaceholder.typicode.com/posts"))) { > final String string = EntityUtils.toString(reponse.getEntity()); > Assert.assertNotNull(string); > // System.out.println(string); > } > } > @Test > public void test_typicode_com() throws KeyManagementException, > NoSuchAlgorithmException, ClientProtocolException, IOException { > try (final CloseableHttpClient client = HttpClients.createDefault()) { > executeHttpsGetPosts(client); > } > } > } > curl works fine with 'curl https://jsonplaceholder.typicode.com/posts' and > returns a JSON document. > Any hints as to what is missing from NHttpReverseProxy? > Thank you, > Gary > Gary Gregory <garydgreg...@gmail.com> > 3:19 PM (7 hours ago) > to HttpComponents > I should add that I am running the latest Oracle Java 8 on Windows 10. > Gary Gregory <garydgreg...@gmail.com> > 10:17 PM (21 minutes ago) > to HttpComponents > If I set -Djavax.net.debug=all in the proxy I see: > RandomCookie: GMT: 1487308723 bytes = { 46, 102, 239, 247, 53, 87, 164, 146, > 197, 44, 72, 95, 153, 58, 9, 22, 138, 176, 137, 76, 196, 163, 34, 95, 220, > 87, 105, 237 } > Session ID: {} > Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > Compression Methods: { 0 } > Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, > sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} > Extension ec_point_formats, formats: [uncompressed] > Extension signature_algorithms, signature_algorithms: SHA512withECDSA, > SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, > SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA > *** > [write] MD5 and SHA1 hashes: len = 161 > 0000: 01 00 00 9D 03 03 59 A7 88 B3 2E 66 EF F7 35 57 ......Y....f..5W > 0010: A4 92 C5 2C 48 5F 99 3A 09 16 8A B0 89 4C C4 A3 ...,H_.:.....L.. > 0020: 22 5F DC 57 69 ED 00 00 3A C0 23 C0 27 00 3C C0 "_.Wi...:.#.'.<. > 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../... > 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1. > 0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................ > 0060: 13 00 FF 01 00 00 3A 00 0A 00 16 00 14 00 17 00 ......:......... > 0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................ > 0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................ > 0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................ > 00A0: 02 . > I/O dispatcher 1, WRITE: TLSv1.2 Handshake, length = 161 > [Raw write]: length = 166 > 0000: 16 03 03 00 A1 01 00 00 9D 03 03 59 A7 88 B3 2E ...........Y.... > 0010: 66 EF F7 35 57 A4 92 C5 2C 48 5F 99 3A 09 16 8A f..5W...,H_.:... > 0020: B0 89 4C C4 A3 22 5F DC 57 69 ED 00 00 3A C0 23 ..L.."_.Wi...:.# > 0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@.... > 0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./.. > 0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............ > 0060: C0 0D 00 16 00 13 00 FF 01 00 00 3A 00 0A 00 16 ...........:.... > 0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................ > 0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 16 ................ > 0090: 00 14 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................ > 00A0: 02 03 02 01 02 02 ...... > [Raw read]: length = 5 > 0000: 15 03 01 00 02 ..... > [Raw read]: length = 2 > 0000: 02 28 .( > I/O dispatcher 1, READ: TLSv1 Alert, length = 2 > I/O dispatcher 1, RECV TLSv1.2 ALERT: fatal, handshake_failure > I/O dispatcher 1, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLException: Received fatal alert: handshake_failure > I/O dispatcher 1, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLException: Received fatal alert: handshake_failure > [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert: > handshake_failure > But, with the HttpClient, there is more data in the hex dumps which include > the origin server name and other bits: > %% No cached client session > *** ClientHello, TLSv1.2 > RandomCookie: GMT: 1487308648 bytes = { 223, 57, 250, 125, 154, 123, 122, > 30, 110, 58, 163, 142, 215, 41, 230, 164, 96, 33, 206, 68, 84, 216, 191, 149, > 12, 79, 94, 143 } > Session ID: {} > Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > Compression Methods: { 0 } > Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, > sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} > Extension ec_point_formats, formats: [uncompressed] > Extension signature_algorithms, signature_algorithms: SHA512withECDSA, > SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, > SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA > Extension server_name, server_name: [type=host_name (0), > value=jsonplaceholder.typicode.com] > *** > [write] MD5 and SHA1 hashes: len = 198 > 0000: 01 00 00 C2 03 03 59 A7 87 68 DF 39 FA 7D 9A 7B ......Y..h.9.... > 0010: 7A 1E 6E 3A A3 8E D7 29 E6 A4 60 21 CE 44 54 D8 z.n:...)..`!.DT. > 0020: BF 95 0C 4F 5E 8F 00 00 3A C0 23 C0 27 00 3C C0 ...O^...:.#.'.<. > 0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../... > 0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1. > 0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................ > 0060: 13 00 FF 01 00 00 5F 00 0A 00 16 00 14 00 17 00 ......_......... > 0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................ > 0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................ > 0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................ > 00A0: 02 00 00 00 21 00 1F 00 00 1C 6A 73 6F 6E 70 6C ....!.....jsonpl > 00B0: 61 63 65 68 6F 6C 64 65 72 2E 74 79 70 69 63 6F aceholder.typico > 00C0: 64 65 2E 63 6F 6D de.com > main, WRITE: TLSv1.2 Handshake, length = 198 > [Raw write]: length = 203 > 0000: 16 03 03 00 C6 01 00 00 C2 03 03 59 A7 87 68 DF ...........Y..h. > 0010: 39 FA 7D 9A 7B 7A 1E 6E 3A A3 8E D7 29 E6 A4 60 9....z.n:...)..` > 0020: 21 CE 44 54 D8 BF 95 0C 4F 5E 8F 00 00 3A C0 23 !.DT....O^...:.# > 0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@.... > 0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./.. > 0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............ > 0060: C0 0D 00 16 00 13 00 FF 01 00 00 5F 00 0A 00 16 ..........._.... > 0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................ > 0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 16 ................ > 0090: 00 14 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................ > 00A0: 02 03 02 01 02 02 00 00 00 21 00 1F 00 00 1C 6A .........!.....j > 00B0: 73 6F 6E 70 6C 61 63 65 68 6F 6C 64 65 72 2E 74 sonplaceholder.t > 00C0: 79 70 69 63 6F 64 65 2E 63 6F 6D ypicode.com > [Raw read]: length = 5 > 0000: 16 03 03 00 5B ....[ > [Raw read]: length = 91 > 0000: 02 00 00 57 03 03 59 A7 87 68 0C 1A D3 15 C5 F5 ...W..Y..h...... > 0010: 11 F2 26 9B 0B 61 99 90 4F 45 F3 CA B0 54 90 B0 ..&..a..OE...T.. > 0020: 34 87 B6 1D 93 FA 20 24 C7 1D BA C2 8B C8 3C 33 4..... $......<3 > 0030: 4F 76 CB C5 DE C3 A4 FF F5 6A 6A D8 65 CD 46 81 Ov.......jj.e.F. > 0040: 39 EC D7 3F 7F 84 D9 C0 2B 00 00 0F FF 01 00 01 9..?....+....... > 0050: 00 00 00 00 00 00 0B 00 02 01 00 ........... > main, READ: TLSv1.2 Handshake, length = 91 > *** ServerHello, TLSv1.2 > RandomCookie: GMT: 1487308648 bytes = { 12, 26, 211, 21, 197, 245, 17, 242, > 38, 155, 11, 97, 153, 144, 79, 69, 243, 202, 176, 84, 144, 176, 52, 135, 182, > 29, 147, 250 } > Session ID: {36, 199, 29, 186, 194, 139, 200, 60, 51, 79, 118, 203, 197, > 222, 195, 164, 255, 245, 106, 106, 216, 101, 205, 70, 129, 57, 236, 215, 63, > 127, 132, 217} > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > Compression Method: 0 > Extension renegotiation_info, renegotiated_connection: <empty> > Extension server_name, server_name: > Extension ec_point_formats, formats: [uncompressed] > *** > %% Initialized: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] > ** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > Why doesn't HttpCore include these extra bits? > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org