[jira] [Created] (HTTPCLIENT-2164) HttpResponseInterceptor connection is null when response body is empty

Tue, 22 Jun 2021 09:02:04 -0700 

Jared S created HTTPCLIENT-2164:
-----------------------------------

             Summary: HttpResponseInterceptor connection is null when response 
body is empty
                 Key: HTTPCLIENT-2164
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2164
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient (classic)
    Affects Versions: 4.5.13
         Environment: MacOS/Linux
            Reporter: Jared S


I am trying to use an HttpResponseInterceptor to view server certificates 
returned during the TLS handshake. The following code snippet works fine - 
unless the server response has an empty body. Then, it fails with a 
ConnectionShutdownException. This feels like a bug - an empty response body 
(i.e. a 204) is valid, so I don't see why it should behave so differently from 
a 200 with content.

 
{code:java}
public class Run {
    public static void main(String[] args) throws URISyntaxException, 
IOException {
        HttpClientBuilder httpClientBuilder = HttpClients.custom();
        httpClientBuilder.addInterceptorLast((HttpResponseInterceptor) 
(response, context) -> {
            ManagedHttpClientConnection connection =
                    (ManagedHttpClientConnection) 
context.getAttribute(HttpCoreContext.HTTP_CONNECTION);
            System.out.println("Response: " + response);
            System.out.println("Connection: " + connection);
            SSLSession sslSession = connection.getSSLSession();
            if (sslSession != null) {
                context.setAttribute("certificateChain", 
sslSession.getPeerCertificates());
            }
        });
        CloseableHttpClient httpClient = httpClientBuilder.build();
        final HttpContext context = new BasicHttpContext();
        final HttpPut put = new HttpPut();
        put.setURI(new 
URI("https://<redacted>.execute-api.us-east-1.amazonaws.com/Prod"));
        httpClient.execute(put, context);
        System.out.println((Certificate[]) 
context.getAttribute("certificateChain"));
    }
}
{code}
I used AWS API Gateway to set up a minimal server. When the backend is set to

 
{code:java}
def lambda_handler(event, context):
    # TODO implement
    return {
        'statusCode': 200,
        'body': "hello world",
        'isBase64Encoded': False
    }
{code}
then the client works fine: 
{code:java}
Response: HttpResponseProxy{HTTP/1.1 502 Bad Gateway [Date: Tue, 22 Jun 2021 
15:46:54 GMT, Content-Type: application/json, Content-Length: 36, Connection: 
keep-alive, x-amzn-RequestId: 70c74c10-453f-4d34-8bd9-27d7974a46b1, 
x-amzn-ErrorType: InternalServerErrorException, x-amz-apigw-id: 
BVXdQGbVoAMFrIw=] ResponseEntityProxy{[Content-Type: 
application/json,Content-Length: 36,Chunked: false]}}
Connection: CPoolProxy{10.95.216.212:51100<->54.197.25.122:443}
CN=*.execute-api.us-east-1.amazonaws.com
CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
CN=Amazon Root CA 1, O=Amazon, C=US
CN=Starfield Services Root Certificate Authority - G2, O="Starfield 
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
{code}
However, if I set the backend to instead be:
{code:java}
def lambda_handler(event, context):
    # TODO implement
    return {
        'statusCode': 204,
        'body': None,
        'isBase64Encoded': False
    }
{code}
 

then it fails with
{code:java}
Exception in thread "main" org.apache.http.impl.conn.ConnectionShutdownException
        at 
org.apache.http.impl.conn.CPoolProxy.getValidConnection(CPoolProxy.java:77)
        at 
org.apache.http.impl.conn.CPoolProxy.getSSLSession(CPoolProxy.java:137)
        at com.amazonaws.<redacted>.client.Run.lambda$main$0(Run.java:33)
        at 
org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:142)
        at 
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:191)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at 
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at 
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at com.amazonaws.<redacted>.client.Run.main(Run.java:42)
{code}
The same happens if I return a 200 (as opposed to a 204) with an empty body.

Note CPoolProxy\{detached} when it fails versus 
CPoolProxy\{10.95.216.212:65140<->54.197.189.189:443} when it works. 

I don't know of any other way to get the certificates, so I'm marking this as a 
major loss in functionality.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to