Hi, Here is an example to illustrate the problem.
Some secure site, bank, government, etc use java through port 443. The JVM in the browser doesn't seem to see the proxy auth already established by the browser to the polipo. The first thing these java code send to the server is a CONNECT request with no Content-Length and not proxy auth header. Here is a sample tcpdump from one of the site ====================================== CONNECT www.singpass-services.gov.sg:443 HTTP/1.1 User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_06 Host: www.singpass-services.gov.sg Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 ============================================ Never get a 407 reply, you can see from the tcpdump that the JVM makes repeated tries to CONNECT. 13:56:31.968950 IP 10.1.253.55.1835 > 10.1.19.6.8080: S 1015723019:1015723019(0) win 64240 <mss 1360,nop,nop,sackOK> 13:56:31.968963 IP 10.1.19.6.8080 > 10.1.253.55.1835: S 2990809969:2990809969(0) ack 1015723020 win 57344 <mss 1460> 13:56:31.969099 IP 10.1.253.55.1835 > 10.1.19.6.8080: . ack 1 win 65280 13:56:31.969973 IP 10.1.253.55.1835 > 10.1.19.6.8080: P 1:208(207) ack 1 win 65280 13:56:31.969981 IP 10.1.19.6.8080 > 10.1.253.55.1835: . ack 208 win 58273 13:56:31.970173 IP 10.1.19.6.8080 > 10.1.253.55.1835: F 1:1(0) ack 208 win 58273 13:56:31.970346 IP 10.1.253.55.1835 > 10.1.19.6.8080: . ack 2 win 65280 13:56:31.971287 IP 10.1.253.55.1835 > 10.1.19.6.8080: F 208:208(0) ack 2 win 65280 13:56:31.971295 IP 10.1.19.6.8080 > 10.1.253.55.1835: . ack 209 win 58272 13:56:31.974032 IP 10.1.253.55.1836 > 10.1.19.6.8080: S 3900129802:3900129802(0) win 64240 <mss 1360,nop,nop,sackOK> 13:56:31.974045 IP 10.1.19.6.8080 > 10.1.253.55.1836: S 178114032:178114032(0) ack 3900129803 win 57344 <mss 1460> 13:56:31.974216 IP 10.1.253.55.1836 > 10.1.19.6.8080: . ack 1 win 65280 13:56:31.975035 IP 10.1.253.55.1836 > 10.1.19.6.8080: P 1:208(207) ack 1 win 65280 13:56:31.975043 IP 10.1.19.6.8080 > 10.1.253.55.1836: . ack 208 win 58273 13:56:31.975262 IP 10.1.19.6.8080 > 10.1.253.55.1836: F 1:1(0) ack 208 win 58273 13:56:31.975399 IP 10.1.253.55.1836 > 10.1.19.6.8080: . ack 2 win 65280 13:56:31.975877 IP 10.1.253.55.1836 > 10.1.19.6.8080: F 208:208(0) ack 2 win 65280 13:56:31.975892 IP 10.1.19.6.8080 > 10.1.253.55.1836: . ack 209 win 58272 13:56:31.977602 IP 10.1.253.55.1837 > 10.1.19.6.8080: S 238085257:238085257(0) win 64240 <mss 1360,nop,nop,sackOK> 13:56:31.977616 IP 10.1.19.6.8080 > 10.1.253.55.1837: S 1360431475:1360431475(0) ack 238085258 win 57344 <mss 1460> 13:56:31.977748 IP 10.1.253.55.1837 > 10.1.19.6.8080: . ack 1 win 65280 13:56:31.978561 IP 10.1.253.55.1837 > 10.1.19.6.8080: P 1:208(207) ack 1 win 65280 13:56:31.978569 IP 10.1.19.6.8080 > 10.1.253.55.1837: . ack 208 win 58273 13:56:31.978761 IP 10.1.19.6.8080 > 10.1.253.55.1837: F 1:1(0) ack 208 win 58273 13:56:31.978918 IP 10.1.253.55.1837 > 10.1.19.6.8080: . ack 2 win 65280 13:56:31.979551 IP 10.1.253.55.1837 > 10.1.19.6.8080: F 208:208(0) ack 2 win 65280 13:56:31.979560 IP 10.1.19.6.8080 > 10.1.253.55.1837: . ack 209 win 58272 13:56:31.984369 IP 10.1.253.55.1838 > 10.1.19.6.8080: S 1830557163:1830557163(0) win 64240 <mss 1360,nop,nop,sackOK> 13:56:31.984382 IP 10.1.19.6.8080 > 10.1.253.55.1838: S 3944045297:3944045297(0) ack 1830557164 win 57344 <mss 1460> 13:56:31.984597 IP 10.1.253.55.1838 > 10.1.19.6.8080: . ack 1 win 65280 13:56:31.985517 IP 10.1.253.55.1838 > 10.1.19.6.8080: P 1:208(207) ack 1 win 65280 13:56:31.985526 IP 10.1.19.6.8080 > 10.1.253.55.1838: . ack 208 win 58273 13:56:31.985731 IP 10.1.19.6.8080 > 10.1.253.55.1838: F 1:1(0) ack 208 win 58273 13:56:31.985926 IP 10.1.253.55.1838 > 10.1.19.6.8080: . ack 2 win 65280 13:56:31.986162 IP 10.1.253.55.1838 > 10.1.19.6.8080: F 208:208(0) ack 2 win 65280 13:56:31.986172 IP 10.1.19.6.8080 > 10.1.253.55.1838: . ack 209 win 58272 Working to the same site with squid, you get two prompts for proxy auth, the first when the browser first start and load the default page. The second when you start to browse these secure sites, a second proxy auth popup triggered by the jvm. Regards, Ming On Mon, Jun 9, 2008 at 10:55 PM, Ming Fu <[EMAIL PROTECTED]> wrote: > Hi, > > The httpParseHeaders() function return bodylen -1 if the http headers do > not content a Content-Length header. > > When the following combination happens, polipo prematurely shutdown client > socket before a 407 reply can be sent. > > 1. Proxy Authentication required by Polipo > 2. Client Make a CONNECT request with no proxy auth header > (username/password) > 3 The Request does not include a Content-Length header (legitimate for > CONNECT) > > The connection->bodylen will be -1 and cause httpDiscardBody shutdown the > client socket. > > The generalize the problem, any client request with no proxy auth header > and no Content-Length will be a problem. > > Should we set connection->bodylen to 0 all the time unless the client > request is POST/PUT. or there is actually a none-zero content-length header. > > > Currently the body_len = -1 is partially used to indicate the parse error > of the header. I need your oppinion on whether it is important to tell the > difference of "no Content-Length" vs "a malformated Content-Length". > > Best Regards, > Ming > ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Polipo-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/polipo-users
