RE: SSL failure when using new Async APIs in 5.0-beta6
Hi Oleg, No, I had not updated my code. I updated my code as you said and it worked OK. Thanks Oleg, Nicolas de Pomereu -Original Message- From: Oleg Kalnichevski Sent: Tuesday, December 10, 2019 11:16 AM To: HttpClient User Discussion Subject: Re: SSL failure when using new Async APIs in 5.0-beta6 On Tue, 2019-12-10 at 11:06 +0100, Nicolas de Pomereu wrote: > Hi, > I still have the problem with the new master version. > ( > https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba > 4f7f89d568a542c5599956310 > ) > Enclosed class call fails with javax.net.ssl.SSLHandshakeException: > General SSLEngine problem > (USE_WEBSITE_WITH_IP_DIFFERENT_THAN_INNET_ADDRESS = true) Regards, > Nicolas de Pomereu > You have not updated your code to use the #execute method with an explicit HttpHost parameter, have you? Oleg > <<...>> <<...>> > -Original Message- > From: Oleg Kalnichevski > Sent: Thursday, December 5, 2019 4:56 PM > To: HttpClient User Discussion > Subject: Re: SSL failure when using new Async APIs in 5.0-beta6 On > Wed, 2019-12-04 at 15:07 +0100, Oleg Kalnichevski wrote: > > > > > On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > > > > Hi, > > > > > > > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will > work > > > > using HttpHost with following code, even if initHost IP is > > > > different from > > > > destServerNameIP: > > > > > > > > initHost = "www.acme.com"; > > > > destServerNameIP = "100.100.100.100"; > > > > destScheme = "https"; > > > > port = 443; > > > > > > > > InetAddress inetAddress = > > > > InetAddress.getByName(destServerNameIP); > > > > final HttpHost target = new HttpHost(destScheme, inetAddress, > > > > initHost, port); > > > > > > > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, > HttpClient > > > > will fail with a SSLEngineException failure if initHost IP is > > > > different from destServerNameIP. > > > > > > > > Is this a new feature or a bug please? > > > > > > > > I found out that async versions of HttpClient presently do not take > > InetAddress parameter of HttpHost into account. > > > > Feel free to raise a JIRA if you want to track resolution of this > > defect. > > > > I am seriously considering removing InetAddress attribute from > > HttpHost. It should have never been added to the class in the first > > place. Though I will see if there is an alternative fix that does > not > > involve any changes to the HttpHost as the first step. > > > > Oleg > > > The problem fixed in master with > https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310 > Oleg > > > - > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > - > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL failure when using new Async APIs in 5.0-beta6
On Tue, 2019-12-10 at 11:06 +0100, Nicolas de Pomereu wrote: > Hi, > I still have the problem with the new master version. > ( > https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310 > ) > Enclosed class call fails with javax.net.ssl.SSLHandshakeException: > General SSLEngine problem > (USE_WEBSITE_WITH_IP_DIFFERENT_THAN_INNET_ADDRESS = true) > Regards, > Nicolas de Pomereu > You have not updated your code to use the #execute method with an explicit HttpHost parameter, have you? Oleg > <<...>> <<...>> > -Original Message- > From: Oleg Kalnichevski > Sent: Thursday, December 5, 2019 4:56 PM > To: HttpClient User Discussion > Subject: Re: SSL failure when using new Async APIs in 5.0-beta6 > On Wed, 2019-12-04 at 15:07 +0100, Oleg Kalnichevski wrote: > > > > > On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > > > > Hi, > > > > > > > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will > work > > > > using HttpHost with following code, even if initHost IP is > > > > different from > > > > destServerNameIP: > > > > > > > > initHost = "www.acme.com"; > > > > destServerNameIP = "100.100.100.100"; > > > > destScheme = "https"; > > > > port = 443; > > > > > > > > InetAddress inetAddress = > > > > InetAddress.getByName(destServerNameIP); > > > > final HttpHost target = new HttpHost(destScheme, inetAddress, > > > > initHost, port); > > > > > > > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, > HttpClient > > > > will fail with a SSLEngineException failure if initHost IP is > > > > different from destServerNameIP. > > > > > > > > Is this a new feature or a bug please? > > > > > > > > I found out that async versions of HttpClient presently do not take > > InetAddress parameter of HttpHost into account. > > > > Feel free to raise a JIRA if you want to track resolution of this > > defect. > > > > I am seriously considering removing InetAddress attribute from > > HttpHost. It should have never been added to the class in the first > > place. Though I will see if there is an alternative fix that does > not > > involve any changes to the HttpHost as the first step. > > > > Oleg > > > The problem fixed in master with > https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310 > Oleg > > > - > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > - > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
RE: SSL failure when using new Async APIs in 5.0-beta6
RE: SSL failure when using new Async APIs in 5.0-beta6 Hi, I still have the problem with the new master version. ( *https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310* <https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310> ) Enclosed class call fails with javax.net.ssl.SSLHandshakeException: General SSLEngine problem (USE_WEBSITE_WITH_IP_DIFFERENT_THAN_INNET_ADDRESS = true) Regards, Nicolas de Pomereu <<...>> <<...>> -Original Message- From: Oleg Kalnichevski Sent: Thursday, December 5, 2019 4:56 PM To: HttpClient User Discussion Subject: Re: SSL failure when using new Async APIs in 5.0-beta6 On Wed, 2019-12-04 at 15:07 +0100, Oleg Kalnichevski wrote: > > > On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > > > Hi, > > > > > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will work > > > using HttpHost with following code, even if initHost IP is > > > different from > > > destServerNameIP: > > > > > > initHost = "www.acme.com"; > > > destServerNameIP = "100.100.100.100"; > > > destScheme = "https"; > > > port = 443; > > > > > > InetAddress inetAddress = > > > InetAddress.getByName(destServerNameIP); > > > final HttpHost target = new HttpHost(destScheme, inetAddress, > > > initHost, port); > > > > > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, HttpClient > > > will fail with a SSLEngineException failure if initHost IP is > > > different from destServerNameIP. > > > > > > Is this a new feature or a bug please? > > > > > I found out that async versions of HttpClient presently do not take > InetAddress parameter of HttpHost into account. > > Feel free to raise a JIRA if you want to track resolution of this > defect. > > I am seriously considering removing InetAddress attribute from > HttpHost. It should have never been added to the class in the first > place. Though I will see if there is an alternative fix that does not > involve any changes to the HttpHost as the first step. > > Oleg > The problem fixed in master with https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310 Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org RawSSLAsyncRegularTest.java Description: java/ OutputStreamBinResponseConsumer.java Description: java/ - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL failure when using new Async APIs in 5.0-beta6
Hi Oleg, Thank you very much, I will try asap. Regards, Nicolas de Pomereu KawanSoft SAS http://www.kawansoft.com 62, boulevard Pereire 75017 Paris - France Tel: +33 (0)1 77 69 59 58 Fax: +33 (0)1 72 74 95 39 Le jeu. 5 déc. 2019 à 18:42, Oleg Kalnichevski a écrit : > On Wed, 2019-12-04 at 15:07 +0100, Oleg Kalnichevski wrote: > > > > > On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > > > > Hi, > > > > > > > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will > > > > work > > > > using > > > > HttpHost with following code, even if initHost IP is different > > > > from > > > > destServerNameIP: > > > > > > > > initHost = "www.acme.com"; > > > > destServerNameIP = "100.100.100.100"; > > > > destScheme = "https"; > > > > port = 443; > > > > > > > > InetAddress inetAddress = > > > > InetAddress.getByName(destServerNameIP); > > > > final HttpHost target = new HttpHost(destScheme, inetAddress, > > > > initHost, > > > > port); > > > > > > > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, HttpClient > > > > will fail > > > > with a SSLEngineException failure if initHost IP is different > > > > from > > > > destServerNameIP. > > > > > > > > Is this a new feature or a bug please? > > > > > > > > I found out that async versions of HttpClient presently do not take > > InetAddress parameter of HttpHost into account. > > > > Feel free to raise a JIRA if you want to track resolution of this > > defect. > > > > I am seriously considering removing InetAddress attribute from > > HttpHost. It should have never been added to the class in the first > > place. Though I will see if there is an alternative fix that does not > > involve any changes to the HttpHost as the first step. > > > > Oleg > > > > The problem fixed in master with > > > https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310 > > Oleg > > > > - > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org > >
Re: SSL failure when using new Async APIs in 5.0-beta6
On Wed, 2019-12-04 at 15:07 +0100, Oleg Kalnichevski wrote: > > > On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > > > Hi, > > > > > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will > > > work > > > using > > > HttpHost with following code, even if initHost IP is different > > > from > > > destServerNameIP: > > > > > > initHost = "www.acme.com"; > > > destServerNameIP = "100.100.100.100"; > > > destScheme = "https"; > > > port = 443; > > > > > > InetAddress inetAddress = > > > InetAddress.getByName(destServerNameIP); > > > final HttpHost target = new HttpHost(destScheme, inetAddress, > > > initHost, > > > port); > > > > > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, HttpClient > > > will fail > > > with a SSLEngineException failure if initHost IP is different > > > from > > > destServerNameIP. > > > > > > Is this a new feature or a bug please? > > > > > I found out that async versions of HttpClient presently do not take > InetAddress parameter of HttpHost into account. > > Feel free to raise a JIRA if you want to track resolution of this > defect. > > I am seriously considering removing InetAddress attribute from > HttpHost. It should have never been added to the class in the first > place. Though I will see if there is an alternative fix that does not > involve any changes to the HttpHost as the first step. > > Oleg > The problem fixed in master with https://github.com/apache/httpcomponents-client/commit/f3c418c50a6ebba4f7f89d568a542c5599956310 Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL failure when using new Async APIs in 5.0-beta6
On Tue, 2019-12-03 at 16:45 +0100, Oleg Kalnichevski wrote: > What I immediately see if that the server sends a different (broken) > SSL certificate chain during the TLS handshake with > RawSSLAsyncRegularTest example. At this point I _cannot_ confirm that > as HttpClient's fault but I will take a closer look tomorrow. > > Oleg > > > On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > > Hi, > > > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will work > > using > > HttpHost with following code, even if initHost IP is different from > > destServerNameIP: > > > > initHost = "www.acme.com"; > > destServerNameIP = "100.100.100.100"; > > destScheme = "https"; > > port = 443; > > > > InetAddress inetAddress = > > InetAddress.getByName(destServerNameIP); > > final HttpHost target = new HttpHost(destScheme, inetAddress, > > initHost, > > port); > > > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, HttpClient > > will fail > > with a SSLEngineException failure if initHost IP is different from > > destServerNameIP. > > > > Is this a new feature or a bug please? > > I found out that async versions of HttpClient presently do not take InetAddress parameter of HttpHost into account. Feel free to raise a JIRA if you want to track resolution of this defect. I am seriously considering removing InetAddress attribute from HttpHost. It should have never been added to the class in the first place. Though I will see if there is an alternative fix that does not involve any changes to the HttpHost as the first step. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: SSL failure when using new Async APIs in 5.0-beta6
What I immediately see if that the server sends a different (broken) SSL certificate chain during the TLS handshake with RawSSLAsyncRegularTest example. At this point I _cannot_ confirm that as HttpClient's fault but I will take a closer look tomorrow. Oleg On Tue, 2019-12-03 at 15:35 +0100, Nicolas de Pomereu wrote: > Hi, > > With HttpClient 5.0-beta6 Classic APIs, HttpClient call will work > using > HttpHost with following code, even if initHost IP is different from > destServerNameIP: > > initHost = "www.acme.com"; > destServerNameIP = "100.100.100.100"; > destScheme = "https"; > port = 443; > > InetAddress inetAddress = > InetAddress.getByName(destServerNameIP); > final HttpHost target = new HttpHost(destScheme, inetAddress, > initHost, > port); > > With HttpClient 5.0-beta6 new Async APIs for HTTP/2, HttpClient > will fail > with a SSLEngineException failure if initHost IP is different from > destServerNameIP. > > Is this a new feature or a bug please? > > How can I call HttpClient in SSL with Async & HTTP/2 new APIs using a > HttpHost with the 4 parameters HttpHost constructor? > (We need it because we are writing a reverse proxy). > > Please see two real enclosed examples that can be run to test > implementation > details. > Runs have be tested with Windows 10 / Java jre1.8.0_211 and Linux > and > OpenJDK 10.0.2. > > Regards, > Nicolas > - > To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org > For additional commands, e-mail: httpclient-users-h...@hc.apache.org - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
SSL failure when using new Async APIs in 5.0-beta6
Hi, With HttpClient 5.0-beta6 Classic APIs, HttpClient call will work using HttpHost with following code, even if initHost IP is different from destServerNameIP: initHost = "www.acme.com"; destServerNameIP = "100.100.100.100"; destScheme = "https"; port = 443; InetAddress inetAddress = InetAddress.getByName(destServerNameIP); final HttpHost target = new HttpHost(destScheme, inetAddress, initHost, port); With HttpClient 5.0-beta6 new Async APIs for HTTP/2, HttpClient will fail with a SSLEngineException failure if initHost IP is different from destServerNameIP. Is this a new feature or a bug please? How can I call HttpClient in SSL with Async & HTTP/2 new APIs using a HttpHost with the 4 parameters HttpHost constructor? (We need it because we are writing a reverse proxy). Please see two real enclosed examples that can be run to test implementation details. Runs have be tested with Windows 10 / Java jre1.8.0_211 and Linux and OpenJDK 10.0.2. Regards, Nicolas OutputStreamBinResponseConsumer.java Description: java/ RawSSLAsyncRegularTest.java Description: java/ RawSSLClassicRegularTest.java Description: java/ - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org