Stefan Wachter wrote:
Hi Oleg,
I still struggle with the implementation of my HttpRoutePlanner.
I try to establish an HTTPS connection to a target host via a proxy. You
said that "usually the tunnel to the proxy is established using plain
HTTP". When I try to return a route where the first hop (the hop to the
proxy) is using HTTP then the secure flag of the route must not be
"true". If you try then the following exception is raised:
java.lang.IllegalStateException: Unable to establish route.
planned = HttpRoute[{s}->http://localhost:8008->https://www.gmx.net]
current = HttpRoute[{}->http://localhost:8008->https://www.gmx.net]
I tracked the reason down and found that the isSecure method of the
PlainSocketFactory always returns false. This means that if the proxy is
accessed using http then the route must not be flagged to be secure. You
said that if a route is flagged unsecure then "this will prevent
HttpClient from sending cookies marked as secure".
To summarize: If I want to contact a target host via a proxy by https
and want to have cookies that are marked to be secure to be sent then I
have to use https to contact the proxy and mark the route as being
secure. Right?
Yes, you need to mark the route as secure but the initial connection to
the proxy should be made via HTTP. I have not come across an HTTP proxy
that supported CONNECT method via HTTPS.
In your last response you wrote, that for proxied https connections
TunnelType.TUNELLED and LayerType.LAYERED should be choosen. When I
return a route that uses https to access the proxy and the target host,
that has its secure flag set to true and that is tunneled and layered, I
get the following exception:
This problem has nothing to do with the route computation or even
HttpClient at all. The SSL context used by your application has not been
configured correctly.
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
What is going wrong here? Does it mean that the proxy host needs to have
a certifacate that is signed by a trusted certifaction authority?
I have no idea about expectations of your proxy host. Did CONNECT method
succeed?
Next try: If I choose a route that uses http to access the proxy host
and https to access the target host and use TunnelType.PLAIN and
LayerType.PLAIN then the route works.
I suspect SSL/TLS is not being used in this case.
The route should be marked as TunnelType.TUNELLED and LayerType.LAYERED
and the SSL context of your application must be set up correctly.
Why do you need a custom route planner in the first place?
Oleg
Yet, this route can not be marked
to be secure. This means that secure cookies are not sent!
Thanks for you patience and help,
--Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
