Hi Oleg,
I do not understand your comment: "Which makes perfect sense". You said
that proxies are usually accessed by http (and not https). You said that
a route must be marked secure in order to have secure cookies to be
sent. Now, if I try to use HttpClient with a proxy, connect to this
proxy using http and mark the route to be secure then I get the
IllegalStateException.
Cheers,
--Stefan
Am 30.11.2009 14:38, schrieb Oleg Kalnichevski:
> On Mon, 2009-11-30 at 10:42 +0100, Stefan Wachter wrote:
>
>> Hi Oleg,
>>
>> I implemented a small test case that demonstrates my problem. The
>> program uses a single proxy that is accessed by http (I use WebScarab).
>> When the program runs then I get the already mentioned illegal state
>> exception:
>>
>>
> Which makes perfect sense.
>
>
>> planned = HttpRoute[{s}->http://localhost:8008->https://www.gmx.net]
>> current = HttpRoute[{}->http://localhost:8008->https://www.gmx.net]
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:672)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:385)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
>> at httpclienttest.Main.main(Main.java:68)
>>
>> When I change the boolean tunneledAndLayered from false to true then I
>> get a SSLPeerUnverifiedException:
>>
>>
>> Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
>> peer not authenticated
>> at
>> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
>> at
>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
>> at
>> org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399)
>> at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:167)
>> at
>> org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:275)
>> at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:122)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:668)
>> at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:385)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
>> at
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
>> at httpclienttest.Main.main(Main.java:57)
>>
>> You said that this exception is caused because the SSL context of the
>> application is not configured correctly. Unfortunately I do not how the
>> SSL context is configured. Can you please give me a hint.
>>
>>
> The official Java SSL tutorial is your best friend
>
> Oleg
>
>
>> Best regards,
>> --Stefan
>>
>>
>>
>> package httpclienttest;
>>
>> import org.apache.http.HttpException;
>> import org.apache.http.HttpHost;
>> import org.apache.http.HttpRequest;
>> import org.apache.http.client.methods.HttpGet;
>> import org.apache.http.client.methods.HttpUriRequest;
>> import org.apache.http.conn.ClientConnectionManager;
>> import org.apache.http.conn.routing.HttpRoute;
>> import org.apache.http.conn.routing.HttpRoutePlanner;
>> import org.apache.http.conn.routing.RouteInfo.LayerType;
>> import org.apache.http.conn.routing.RouteInfo.TunnelType;
>> import org.apache.http.conn.scheme.PlainSocketFactory;
>> import org.apache.http.conn.scheme.Scheme;
>> import org.apache.http.conn.scheme.SchemeRegistry;
>> import org.apache.http.conn.ssl.SSLSocketFactory;
>> import org.apache.http.impl.client.DefaultHttpClient;
>> import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
>> import org.apache.http.params.BasicHttpParams;
>> import org.apache.http.params.HttpParams;
>> import org.apache.http.protocol.HttpContext;
>>
>> public class Main {
>>
>> public static void main(String[] args) throws Exception {
>> HttpParams httpParams = new BasicHttpParams();
>>
>> SchemeRegistry schemeRegistry = new SchemeRegistry();
>> schemeRegistry.register(new Scheme("http",
>> PlainSocketFactory.getSocketFactory(), 80));
>> schemeRegistry.register(new Scheme("https",
>> SSLSocketFactory.getSocketFactory(), 443));
>>
>> ClientConnectionManager connectionManager = new
>> ThreadSafeClientConnManager(httpParams, schemeRegistry);
>>
>> DefaultHttpClient httpClient = new
>> DefaultHttpClient(connectionManager, httpParams);
>>
>> HttpRoutePlanner routePlanner = new HttpRoutePlanner() {
>>
>> public HttpRoute determineRoute(HttpHost aTarget, HttpRequest
>> aRequest, HttpContext aContext) throws HttpException {
>>
>> HttpHost[] proxies = new HttpHost[1];
>> proxies[0] = new HttpHost("localhost", 8008, "http");
>> boolean isSecure = true;
>>
>> boolean tunneledAndLayered = false;
>> TunnelType tunnelType = tunneledAndLayered ?
>> TunnelType.TUNNELLED : TunnelType.PLAIN;
>> LayerType layerType = tunneledAndLayered ? LayerType.LAYERED :
>> LayerType.PLAIN;
>>
>> return new HttpRoute(aTarget, null, proxies, isSecure,
>> tunnelType, layerType);
>>
>> }
>>
>> };
>>
>> httpClient.setRoutePlanner(routePlanner);
>>
>> HttpUriRequest request = new HttpGet("https://www.gmx.net";);
>> httpClient.execute(request);
>>
>> }
>> }
>>
>>
>> Am 27.11.2009 22:29, schrieb Oleg Kalnichevski:
>>
>>> Stefan Wachter wrote:
>>>
>>>> Hi Oleg,
>>>>
>>>> your proposal "you need to mark the route as secure but the initial
>>>> connection to the proxy should be made via HTTP" does not work. If the
>>>> route is planned in such a way then an IllegalStateException is raised
>>>> (as I mentioned in my last post). This is caused by the logic
>>>> implemented in HttpClient that a secure route can not use an insecure
>>>> connection.
>>>>
>>> That does not seem to make any sense to me but I did not write HTTP
>>> route planning code. The default logic seems pretty straightforward.
>>>
>>> http://hc.apache.org/httpcomponents-client/httpclient/xref/org/apache/http/impl/conn/DefaultHttpRoutePlanner.html#111
>>>
>>>
>>> Please double-check your code and if you are convinced this is a bug
>>> in HttpClient please try to reproduce the problem with a test case.
>>>
>>> Oleg
>>>
>>>
>>>> Can you please give me a hint how the SSL context of the application can
>>>> be configured correctly?
>>>>
>>>> Why I want to implement a custom route planner: I have integrated
>>>> HttpClient into an (web) application framework to allow easy access to
>>>> the HTTP protocol. I do not like the standard jvm proxy mechanism
>>>> because it is configured virtual machine wide and the configuration must
>>>> be done on the command line or by setting system properties. Using a
>>>> configurable custom route planner just would better fit into the overall
>>>> structure. I did not expect that implementing a custom route planner
>>>> would be so difficult. In addition, I like the possibilities for
>>>> connection pooling that HttpClient offers. I thought that in order to
>>>> configure the pooling for routes it is best to determine the by myself.
>>>> Otherwise I must have a close look at the routes that are returned by
>>>> the "ProxySelectorRoutePlanner".
>>>>
>>>> Thank you for your help,
>>>>
>>>> --Stefan
>>>>
>>>>
>>>>
>>>>
>>>> Am 27.11.2009 17:17, schrieb Oleg Kalnichevski:
>>>>
>>>>> Stefan Wachter wrote:
>>>>>
>>>>>> Hi Oleg,
>>>>>>
>>>>>> I still struggle with the implementation of my HttpRoutePlanner.
>>>>>>
>>>>>> I try to establish an HTTPS connection to a target host via a
>>>>>> proxy. You
>>>>>> said that "usually the tunnel to the proxy is established using plain
>>>>>> HTTP". When I try to return a route where the first hop (the hop to
>>>>>> the
>>>>>> proxy) is using HTTP then the secure flag of the route must not be
>>>>>> "true". If you try then the following exception is raised:
>>>>>>
>>>>>> java.lang.IllegalStateException: Unable to establish route.
>>>>>> planned = HttpRoute[{s}->http://localhost:8008->https://www.gmx.net]
>>>>>> current = HttpRoute[{}->http://localhost:8008->https://www.gmx.net]
>>>>>>
>>>>>> I tracked the reason down and found that the isSecure method of the
>>>>>> PlainSocketFactory always returns false. This means that if the
>>>>>> proxy is
>>>>>> accessed using http then the route must not be flagged to be
>>>>>> secure. You
>>>>>> said that if a route is flagged unsecure then "this will prevent
>>>>>> HttpClient from sending cookies marked as secure".
>>>>>>
>>>>>> To summarize: If I want to contact a target host via a proxy by https
>>>>>> and want to have cookies that are marked to be secure to be sent
>>>>>> then I
>>>>>> have to use https to contact the proxy and mark the route as being
>>>>>> secure. Right?
>>>>>>
>>>>> Yes, you need to mark the route as secure but the initial connection
>>>>> to the proxy should be made via HTTP. I have not come across an HTTP
>>>>> proxy that supported CONNECT method via HTTPS.
>>>>>
>>>>>
>>>>>> In your last response you wrote, that for proxied https connections
>>>>>> TunnelType.TUNELLED and LayerType.LAYERED should be choosen. When I
>>>>>> return a route that uses https to access the proxy and the target
>>>>>> host,
>>>>>> that has its secure flag set to true and that is tunneled and
>>>>>> layered, I
>>>>>> get the following exception:
>>>>>>
>>>>>>
>>>>> This problem has nothing to do with the route computation or even
>>>>> HttpClient at all. The SSL context used by your application has not
>>>>> been configured correctly.
>>>>>
>>>>>
>>>>>> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>>> at
>>>>>> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
>>>>>>
>>>>>>
>>>>>>
>>>>>> What is going wrong here? Does it mean that the proxy host needs to
>>>>>> have
>>>>>> a certifacate that is signed by a trusted certifaction authority?
>>>>>>
>>>>>>
>>>>> I have no idea about expectations of your proxy host. Did CONNECT
>>>>> method succeed?
>>>>>
>>>>>
>>>>>> Next try: If I choose a route that uses http to access the proxy host
>>>>>> and https to access the target host and use TunnelType.PLAIN and
>>>>>> LayerType.PLAIN then the route works.
>>>>>>
>>>>> I suspect SSL/TLS is not being used in this case.
>>>>>
>>>>> The route should be marked as TunnelType.TUNELLED and
>>>>> LayerType.LAYERED and the SSL context of your application must be set
>>>>> up correctly.
>>>>>
>>>>> Why do you need a custom route planner in the first place?
>>>>>
>>>>> Oleg
>>>>>
>>>>>
>>>>> Yet, this route can not be marked
>>>>>
>>>>>> to be secure. This means that secure cookies are not sent!
>>>>>>
>>>>>> Thanks for you patience and help,
>>>>>>
>>>>>> --Stefan
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [email protected]
>>>>> For additional commands, e-mail: [email protected]
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [email protected]
>>>> For additional commands, e-mail: [email protected]
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
