Re: ProxyCredentials disclosed to remote host

Thu, 03 Nov 2005 05:10:48 -0800 

On Thu, Nov 03, 2005 at 01:59:09PM +0100, Michael Schaefer wrote:
> 
>  Hi,
> 
> I'm using httpclient (svn-trunk of today) to connect to a remote SSL-Host
> via a proxy. The proxy requires authorization (basic) and I want to use
> preemptive authorization.
> 
> Since Bug 37197 is fixed the preemptive authorization works, but my traces
> show that the proxy credentials are also transmitted to the remote host
> through the CONNECT-tunnel, thus disclosing sensitive information to the
> remote host.
> 
> My code looks like this:
> 
> HttpClient client = new HttpClient();
> HttpMethod method = new GetMethod("https://test";);
> 
> client.getHostConfiguration().setProxy("127.0.0.1",3128);
> client.getState().setProxyCredentials(
>                 new AuthScope("127.0.0.1", 3128),
>                 new UsernamePasswordCredentials("proxy", "test"));
> client.getState().setAuthenticationPreemptive(true);
> client.executeMethod(method);
> 
> The trace:
> 
> 2005/11/03 13:53:13:244 CET [DEBUG] HttpMethodDirector - Preemptively
> sending default basic credentials
> 2005/11/03 13:53:13:261 CET [DEBUG] HttpMethodDirector - Authenticating
> with BASIC <any realm>@127.0.0.1:3128
> 2005/11/03 13:53:13:262 CET [DEBUG] HttpMethodParams - Credential charset
> not configured, using HTTP element charset
> 2005/11/03 13:53:13:266 CET [DEBUG] HttpMethodDirector - Authenticating
> with BASIC <any realm>@test:443
> 2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Required
> credentials not available for BASIC <any realm>@test:443
> 2005/11/03 13:53:13:267 CET [WARN] HttpMethodDirector - Preemptive
> authentication requested but no default credentials available
> 2005/11/03 13:53:13:268 CET [DEBUG] HttpConnection - Open connection to
> 127.0.0.1:3128
> 2005/11/03 13:53:13:279 CET [DEBUG] HttpMethodDirector - Preemptively
> sending default basic credentials
> 2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodDirector - Authenticating
> with BASIC <any realm>@127.0.0.1:3128
> 2005/11/03 13:53:13:280 CET [DEBUG] HttpMethodParams - Credential charset
> not configured, using HTTP element charset
> 2005/11/03 13:53:13:283 CET [DEBUG] header - >> "CONNECT test:443 HTTP/1.1"
> 2005/11/03 13:53:13:284 CET [DEBUG] HttpMethodBase - Adding Host request
> header
> 2005/11/03 13:53:13:284 CET [DEBUG] header - >> "Proxy-Authorization:
> Basic cHJveHk6dGVzdA==[\r][\n]"
> 2005/11/03 13:53:13:285 CET [DEBUG] header - >> "User-Agent: Jakarta
> Commons-HttpClient/3.0-rc4[\r][\n]"
> 2005/11/03 13:53:13:285 CET [DEBUG] header - >> "Host: test[\r][\n]"      
>                                                                           
>    2005/11/03 13:53:13:286 CET [DEBUG] header - >> "Proxy-Connection:
> Keep-Alive[\r][\n]"
> 2005/11/03 13:53:13:286 CET [DEBUG] header - >> "[\r][\n]"                
>                                                                           
>              2005/11/03 13:53:13:311 CET [DEBUG] header - << "HTTP/1.0 200
> Connection established[\r][\n]"                                           
>                           2005/11/03 13:53:13:326 CET [DEBUG]
> ConnectMethod - CONNECT status code 200
> 2005/11/03 13:53:13:327 CET [DEBUG] HttpConnection - Secure tunnel to
> test:443
> 2005/11/03 13:53:13:418 CET [DEBUG] header - >> "GET / HTTP/1.1[\r][\n]"
> 2005/11/03 13:53:13:420 CET [DEBUG] HttpMethodBase - Adding Host request
> header
> 2005/11/03 13:53:13:423 CET [DEBUG] header - >> "Proxy-Authorization:
> Basic cHJveHk6dGVzdA==[\r][\n]"
> 2005/11/03 13:53:13:424 CET [DEBUG] header - >> "User-Agent: Jakarta
> Commons-HttpClient/3.0-rc4[\r][\n]"
> 2005/11/03 13:53:13:425 CET [DEBUG] header - >> "Host: test[\r][\n]"
> 2005/11/03 13:53:13:425 CET [DEBUG] header - >> "[\r][\n]"
> 2005/11/03 13:53:14:391 CET [DEBUG] header - << "HTTP/1.1 200 OK[\r][\n]"
> 
> As you can see the proxy credentials are also transmitted through the
> SSL-tunnel to the remote host which is a security risk.
> 
> Is this a bug in httpclient or am I using it incorrectly?
> How can I prevent the transmission of the credentials to the remote host?
> 
> best wishes,
> Michael
> 

Michael,
Please file a bug report. This is a critical bug and a release blocker

Oleg


> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to