Re: [Simpleweb-Support] SSL Handshake problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Fabio,

I'm not sure you see how HTTP proxy servers work. If you've configured 
your browser to use 127.0.0.1:8888 as a proxy, it will use CONNECT for 
HTTPS connections. CONNECT must relay the entire TCP traffic upon which 
is the SSL connection for this to work. An HTTP proxy server that 
supports HTTPS doesn't have to support SSL itself.

If you want your proxy to behave like an HTTP proxy with regards to 
HTTPS servers, it's CONNECT you need to implement, this has absolutely 
nothing to do with SSL or any SSLContext as far as this proxy server is 
concerned. It's just tunnelling the connection (no HTTP involved after 
the CONNECT request/response itself).

If, alternatively, you want it to act like a reverse proxy, which would 
relay the requests to your JBoss AS (I'm not sure if that's what you're 
trying to do), then you'd need your browser to assume it's the actual 
server (and thus not configure your browser to use it as an HTTP proxy).

It's not clear from what you're saying which of these two scenarios 
you're trying to achieve. They're completely different.

Best wishes,

Bruno.

On 10/05/10 17:55, Fábio Matos wrote:
> Hello Bruno,
>
> I know what you said, but doesn't simple already supports this with the
> use of the SSLContext as I explained?
>
> This is the cenario:
>
> Browser ----- Simple "Proxy" (with proxy certificate) ----- JBoss AS
> (server certificate and webpage in root, port 8443)
>
> If I access https://127.0.0.1:8443, and defined the browser proxy to
> 127.0.0.1:8888 <http://127.0.0.1:8888> as explained, I was expecting to
> see simple
> providing the proxy certificate to the browser and after acceptance the
> request should arrive at the handler.
> Am I mistaken on this assumptions? Is this event possible with Simple?
> If not, where should I start to look in simple source code to make it
> possible?
>
> Thanks.
>
> 2010/5/10 Bruno Harbulot <Bru...@ma...
> <mailto:Bru...@ma...>>
>
>     Hi Fábio,
>
>     HTTP proxy servers, when relaying an HTTPS connection, are not the SSL
>     end-point. They use the 'CONNECT' verb to relay to connection directly
>     to the requested HTTPS server. If they were allowed to intercept the
>     initial connection and then re-emit it to the intended server, they
>     would act as a man-in-the-middle, which is what SSL is designed to
>     prevent.
>
>     If you want to design an HTTP proxy that supports SSL connections, you
>     need to support the CONNECT verb, which on the server-side simply
>     tunnels the connection to the destination server, and on the client-side
>     starts the handshake after receiving the 200 status code from CONNECT.
>
>     Best wishes,
>
>     Bruno.
>
>
>     On 10/05/10 17:20, Fábio Matos wrote:
>      > Hello,
>      >
>      > I'm trying to make a man-in-the-middle ssl proxy using simple and
>     apache
>      > httpclient.
>      >
>      > Basicly, I receive the request in the simple handler, convert it to a
>      > httpclient request, send it, convert the httpclient response to
>     simple
>      > response and voilá, I got myself a proxy.
>      > This is working perfectly using HTTP.
>      >
>      > The next step was adding HTTPS support.
>      > To do so I created a self-signed certificate/keystore, loaded it
>     up in a
>      > SSLContext and feed it to connection.connect method.
>      >
>      > And we arrive to the reason of this post. The port set in simple
>     is 8888.
>      >
>      > I have two behaviors:
>      >
>      > 1.
>      > If I access the https://127.0.0.1:8888 directly it shows me the
>      > certificate warning (self-signed), I accept it and the handler
>     receives
>      > the unencrypted request just  fine.
>      >
>      > 2.
>      > If I set the browser proxy to 127.0.0.1:8888
>     <http://127.0.0.1:8888> <http://127.0.0.1:8888> in
>      > all protocols so, like in the HTTP case, every package passes by the
>      > simple handler, access a https website and the following error occurs
>      > multiple times and empty response is returned:
>      >
>      > Using SSLEngineImpl.
>      > Notifier-0, fatal error: 80: problem unwrapping net record
>      > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
>     connection?
>      > Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error
>      > Notifier-0, WRITE: TLSv1 Alert, length = 2
>      >
>      > I saw the related post about the release of Simple 4.1.20 that should
>      > fix an SSL problem and I'm using that version.
>      > I tried it with the example shown in that post and it also gives
>     me the
>      > referred error.
>      >
>      > Can you please give me any help on this? Is this a bug or a
>      > configuration error?
>      >
>      > Thanks in advance.
>      >
>      > --
>      > Fábio Matos
>      >