simpleweb-support — General user and support issues

[Simpleweb-Support] Outputing MJPEG

[Farhad <xa...@gm...>]

Hi,

We would like to use Simple to receive a HTTP request with a Container and extract the OutputStream, which we then use to output a live multipart MJPG video stream.

When this is done using a plain java ServerSocket the browser has no problem with displaying the video. However this is not the case when using Simple.

Obviously Simple parses the output and modifies it according to HTTP standards. Is there a way to get the actual socket outputstream in a Container (and possibly pass it over to another thread) and then prevent Simple from closing it or processing it?

Thanks

Re: [Simpleweb-Support] ask about webservers

[<nia...@rb...>]

I am afraid not, but you could always use mod_proxy if you wanted. Or implement your own proxy from Simple to Apache.

Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454



________________________________
From: ALI K>M [mailto:j.c...@gm...]
Sent: 29 June 2010 16:50
To: sim...@li...
Subject: [Simpleweb-Support] ask about webservers

Dear sirs :
can use simple with appache together ?
which control panel can add simple?
Regards

***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************

[Simpleweb-Support] ask about webservers

[ALI K>M <j.c...@gm...>]

Dear sirs :
can use simple with appache together ?
which control panel can add simple?
Regards

Re: [Simpleweb-Support] HTTP Date headers are in wrong timezone

[Niall G. <gal...@ya...>]

RFC 2616 says all headers MUST be GMT regardless of where they are sent from. There is no error here.

--- On Tue, 6/15/10, Deniz Acay <den...@gm...> wrote:

From: Deniz Acay <den...@gm...>
Subject: [Simpleweb-Support] HTTP Date headers are in wrong timezone
To: sim...@li...
Date: Tuesday, June 15, 2010, 6:36 PM



 
 


 
Dear Simple developers,
Simple Framework is the perfect API for my 
projects, but today i'm experiencing a problem with the date headers. Looks like 
Simple does not convert milliseconds to date string by timezone or locale. No 
matter what i do, it is still sending response date headers with the wrong 
timezone. I hope this little localization issue will 
be solved.
Thanks,
Deniz 

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
-----Inline Attachment Follows-----

_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

[Simpleweb-Support] HTTP Date headers are in wrong timezone

[Deniz A. <den...@gm...>]

Dear Simple developers,
Simple Framework is the perfect API for my projects, but today i'm experiencing a problem with the date headers. Looks like Simple does not convert milliseconds to date string by timezone or locale. No matter what i do, it is still sending response date headers with the wrong timezone. I hope this little localization issue will be solved.
Thanks,
Deniz

Re: [Simpleweb-Support] Serving content over SSL

[Kai S. <sch...@gm...>]

Sorry, I got distracted by the 90 lines of legalese under your message...
you actually had a question, I just saw an empty message

My best suggestion would be to create an inhouse firefox addon if you need
that strong a security.

HTTPS only has 256 bit encription native at best. You could build stronger
encription on top of simple, but you'd have to write a custom browser...

Firefox with addons that encrypt, and a very easy Java implementation to
decrypt on the server side would do it. I've done it before, even and high
scalability, and it worked great. :)

-k


On Mon, Jun 14, 2010 at 2:42 PM, Kai Schutte <sch...@gm...> wrote:

> Hi Andy Barlow,
>
> nice to meet you too :)
>
> On Thu, Jun 10, 2010 at 9:31 PM, Andrew Barlow <
> and...@sd...> wrote:
>
>> Any examples of how to serve content over HTTPS using (presumably)
>> keystore.jks?
>>
>>  Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>
>> e: and...@sd...
>> t: +44 (0)7830 302 268
>>
>> *The information in this email or facsimile is confidential and is
>> intended solely for the addressee(s) and access to this email or facsimile
>> by anyone else is unauthorised. If you are not the intended recipient then
>> any disclosure, copying, distribution or any action taken or omitted to be
>> taken in reliance on it, is prohibited and may be unlawful. Information
>> expressed in this email or facsimile is not given or endorsed by my firm or
>> employer unless otherwise indicated by an authorised representative
>> independent of this message.*
>>
>>
>>
>> ------------------------------------------------------------------------------
>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>> lucky parental unit.  See the prize list and enter to win:
>> http://p.sf.net/sfu/thinkgeek-promo
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>>
>

Re: [Simpleweb-Support] Serving content over SSL

[Kai S. <sch...@gm...>]

Hi Andy Barlow,

nice to meet you too :)

On Thu, Jun 10, 2010 at 9:31 PM, Andrew Barlow <and...@sd...
> wrote:

> Any examples of how to serve content over HTTPS using (presumably)
> keystore.jks?
>
> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>
> e: and...@sd...
> t: +44 (0)7830 302 268
>
> *The information in this email or facsimile is confidential and is
> intended solely for the addressee(s) and access to this email or facsimile
> by anyone else is unauthorised. If you are not the intended recipient then
> any disclosure, copying, distribution or any action taken or omitted to be
> taken in reliance on it, is prohibited and may be unlawful. Information
> expressed in this email or facsimile is not given or endorsed by my firm or
> employer unless otherwise indicated by an authorised representative
> independent of this message.*
>
>
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>

Re: [Simpleweb-Support] Serving content over SSL

[<nia...@rb...>]

Hi,

All you need is an SSLContext and you can use HTTPS with Simple. Just pass the SSLContext in to the Connection you have created. Here is a simple (but crude) example.

https://simpleweb.svn.sourceforge.net/svnroot/simpleweb/trunk/src/demo/java/org/simpleframework/example/Server.java

Niall

Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454



________________________________
From: Andrew Barlow [mailto:and...@sd...]
Sent: 10 June 2010 20:32
To: sim...@li...
Subject: [Simpleweb-Support] Serving content over SSL

Any examples of how to serve content over HTTPS using (presumably) keystore.jks?

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP

e: and...@sd...<mailto:and...@sd...>
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.


***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************

[Simpleweb-Support] Serving content over SSL

[Andrew B. <and...@sd...>]

Any examples of how to serve content over HTTPS using (presumably) keystore.jks?

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 

e: and...@sd...
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Re: [Simpleweb-Support] SSL Handshake problem

[Fábio M. <fab...@gm...>]

"You could achieve what you're trying to do by connecting to the proxy
explicitly, having it relay the connections to the actual server in the
back-end. By this I mean connect to https://your.proxy:8888/ instead of
https://your.jboss.server:8443/."

I just tried this solution, also explained by Niall, and it works perfectly.
This should be the way to go:

Browser ------ Simple/Apache HTTPClient ------ Server

Bruno and Niall, thanks for the very important support and patience. Thanks.

2010/5/10 Niall Gallagher <gal...@ya...>

> Hi Fabio,
>
> For what you want you DO NOT want HTTP CONNECT. You want to scan the
> traffic in a HTTPS conversation. This is VERY easy to do. All you have to do
> is convince your browser your talking to the origin HTTPS server. The
> implementation is simple, your friends here are your /etc/hosts (and the
> windows equivenalt, which I can't remember).
>
> You will find some REALLY BAD code I have written here, this scans GWT RPC
> traffic to an uncontrolled foreign server. I am able to scan the traffic
> from my browser to this server and dump the messages. This is what you want,
> no? The code is here, but beware it is a real hack job. The class your
> looking for is an inner class named ProxyContainer.
>
>
> https://simpleweb.svn.sourceforge.net/svnroot/simpleweb/trunk/src/demo/java/org/simpleframework/http/search/SearchServer.java
>
> Here all you have to change, is the connection, give it your SSL context
> and your browser will have a HTTPS conversation with it. The proxy container
> will decrypt and then your internal client will re-encrypt. You can snoop
> the conversation in the middle.
>
> Niall
>
> --- On *Mon, 5/10/10, Fábio Matos <fab...@gm...>* wrote:
>
>
> From: Fábio Matos <fab...@gm...>
> Subject: Re: [Simpleweb-Support] SSL Handshake problem
> To: "Simple support and user issues" <
> sim...@li...>
> Date: Monday, May 10, 2010, 12:21 PM
>
>
> Hi,
>
> Heres a dumbed down hello world example for replicating the problem.
>
> Bruno is right:
>
> "Sure, because your browsers sends an HTTP CONNECT where your proxy
> server seems to expect a ClientHello for starting the SSL handshake
> (*different layer*): that's what triggers the exceptions you get."
>
> The problem is that simple does support SSL, but does not support HTTP
> CONNECT... its a shame.
>
> Could this be in a future release?
>
> Bruno, i'll try to use one of your workarounds. Thanks.
>
>
> 2010/5/10 Bruno Harbulot <Bru...@ma...<http://mc/compose?to=Bru...@ma...>
> >
>
>> Hi Fabio,
>>
>> On 10/05/2010 19:09, Fábio Matos wrote:
>> > Hi Bruno,
>> >
>> > Thanks for your patience. I'l try be more clear about what I want to do.
>> >
>> > I want a HTTPS proxy that acts as a man-in-the-middle for logging
>> purposes.
>> >
>> >
>> > Browser ----- (1) ------ Simple "Proxy" (2) ------- (3) ------- Server
>> >
>> > (1) Traffic *encrypted *with *Proxy Certificate*
>> > (2) Traffic *decrypted *with *Proxy Certificate* and *logged*
>> > (3) Traffic *encrypted *with *Server Certificate*
>> >
>> > So, with the proxy configured in the browser, when the client connects
>> > to a server page using HTTPS, it should be presented NOT the server
>> > certificate BUT the proxy certificate.
>> > When the encrypted data arrives at the proxy, because it was encrypted
>> > with its proxy and not the server one, it can decrypt the data and log
>> it.
>> > After that it encrypts the data with the server certificate and sends
>> it.
>> > The response follows the same logic, but backwards.
>>
>> > The problem I currently have with Simple is that if defined as a proxy
>> > in the users browser, the handshake process does not work,
>> > so it never receives the request encrypted with its certificate to be
>> > logged.
>>
>> Sure, because your browsers sends an HTTP CONNECT where your proxy
>> server seems to expect a ClientHello for starting the SSL handshake
>> (different layer): that's what triggers the exceptions you get.
>>
>> > This is different than a tunnel, like you referred, as in a tunnel the
>> > proxy only makes two SSLSockets (browser-proxy and proxy-server) and
>> > connects them, never seeing whats is the data flowing through, because
>> > its encrypted with the server certificate.
>>
>> Sure, but that's the way HTTP proxy servers handle HTTPS traffic. That's
>> part of the protocol and you can't really get away from that. You have
>> to realise that what you're trying to do isn't an HTTP/HTTPS proxy and
>> thus won't be usable as such from the browser point of view.
>>
>> You could achieve what you're trying to do by connecting to the proxy
>> explicitly, having it relay the connections to the actual server in the
>> back-end. By this I mean connect to https://your.proxy:8888/ instead of
>> https://your.jboss.server:8443/.
>>
>>
>> If you want this to be transparent from the browser's point of view
>> (whether or not using HTTP proxy server settings), you won't be able to
>> do it using some standard configuration, but you're going to have use
>> some tricks at least on one side:
>>
>> - If you have control over your JBoss server, you could make it think
>> it's serving a port on which it's not actually listening. That's more or
>> less the same trick as what's used to run a Java server on a
>> non-privileged port and redirecting to it via iptables on a Linux box
>> (except that you wouldn't necessarily use iptables for the redirection,
>> but your proxy).
>> For example, you can currently run a number of Java containers on port
>> 8443, but have them serve requests as if they were on port 443
>> (logically). The actual forwarding between ports 443 and 8443 would be
>> done with iptables. What you'd need to do is the same idea, but have
>> your proxy do the redirection instead of iptables. That could actually
>> let you use the actual server certificate if you let your proxy server
>> have access to it.
>>
>> - If you have control over your browser instead, you might be able to
>> use to iptables trickery to make it think it's sending traffic to your
>> JBoss server when it's actually sending it to your proxy. Of course, the
>> proxy would sent its certificate instead of the original server.
>> This option can probably be a bit messy to set up.
>>
>>
>> Best wishes,
>>
>> Bruno.
>>
>>
>> > 2010/5/10 Bruno Harbulot <Bru...@ma...<http://mc/compose?to=Bru...@ma...>
>> > <mailto:Bru...@ma...<http://mc/compose?to=Bru...@ma...>
>> >>
>> >
>> >     Hi Fabio,
>> >
>> >     I'm not sure you see how HTTP proxy servers work. If you've
>> configured
>> >     your browser to use 127.0.0.1:8888 <http://127.0.0.1:8888> as a
>> >     proxy, it will use CONNECT for
>> >     HTTPS connections. CONNECT must relay the entire TCP traffic upon
>> which
>> >     is the SSL connection for this to work. An HTTP proxy server that
>> >     supports HTTPS doesn't have to support SSL itself.
>> >
>> >     If you want your proxy to behave like an HTTP proxy with regards to
>> >     HTTPS servers, it's CONNECT you need to implement, this has
>> absolutely
>> >     nothing to do with SSL or any SSLContext as far as this proxy server
>> is
>> >     concerned. It's just tunnelling the connection (no HTTP involved
>> after
>> >     the CONNECT request/response itself).
>> >
>> >     If, alternatively, you want it to act like a reverse proxy, which
>> would
>> >     relay the requests to your JBoss AS (I'm not sure if that's what
>> you're
>> >     trying to do), then you'd need your browser to assume it's the
>> actual
>> >     server (and thus not configure your browser to use it as an HTTP
>> proxy).
>> >
>> >     It's not clear from what you're saying which of these two scenarios
>> >     you're trying to achieve. They're completely different.
>> >
>> >     Best wishes,
>> >
>> >     Bruno.
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...<http://mc/compose?to=Sim...@li...>
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>
>
>
> --
> Fábio Matos
>
> -----Inline Attachment Follows-----
>
>
> ------------------------------------------------------------------------------
>
>
> -----Inline Attachment Follows-----
>
> _______________________________________________
>
> Simpleweb-Support mailing list
> Sim...@li...<http://mc/compose?to=Sim...@li...>
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>


-- 
Fábio Matos

Re: [Simpleweb-Support] SSL Handshake problem

[Niall G. <gal...@ya...>]

Hi Fabio,
For what you want you DO NOT want HTTP CONNECT. You want to scan the traffic in a HTTPS conversation. This is VERY easy to do. All you have to do is convince your browser your talking to the origin HTTPS server. The implementation is simple, your friends here are your /etc/hosts (and the windows equivenalt, which I can't remember). 
You will find some REALLY BAD code I have written here, this scans GWT RPC traffic to an uncontrolled foreign server. I am able to scan the traffic from my browser to this server and dump the messages. This is what you want, no? The code is here, but beware it is a real hack job. The class your looking for is an inner class named ProxyContainer.
https://simpleweb.svn.sourceforge.net/svnroot/simpleweb/trunk/src/demo/java/org/simpleframework/http/search/SearchServer.java
Here all you have to change, is the connection, give it your SSL context and your browser will have a HTTPS conversation with it. The proxy container will decrypt and then your internal client will re-encrypt. You can snoop the conversation in the middle. 
Niall
--- On Mon, 5/10/10, Fábio Matos <fab...@gm...> wrote:

From: Fábio Matos <fab...@gm...>
Subject: Re: [Simpleweb-Support] SSL Handshake problem
To: "Simple support and user issues" <sim...@li...>
Date: Monday, May 10, 2010, 12:21 PM

Hi, 
Heres a dumbed down hello world example for replicating the problem.
Bruno is right:
"Sure, because your browsers sends an HTTP CONNECT where your proxy


server seems to expect a ClientHello for starting the SSL handshake
(different layer): that's what triggers the exceptions you get."


The problem is that simple does support SSL, but does not support HTTP CONNECT... its a shame.


Could this be in a future release?


Bruno, i'll try to use one of your workarounds. Thanks.



2010/5/10 Bruno Harbulot <Bru...@ma...>


Hi Fabio,



On 10/05/2010 19:09, Fábio Matos wrote:

> Hi Bruno,

>

> Thanks for your patience. I'l try be more clear about what I want to do.

>

> I want a HTTPS proxy that acts as a man-in-the-middle for logging purposes.

>

>

> Browser ----- (1) ------ Simple "Proxy" (2) ------- (3) ------- Server

>

> (1) Traffic *encrypted *with *Proxy Certificate*

> (2) Traffic *decrypted *with *Proxy Certificate* and *logged*

> (3) Traffic *encrypted *with *Server Certificate*

>

> So, with the proxy configured in the browser, when the client connects

> to a server page using HTTPS, it should be presented NOT the server

> certificate BUT the proxy certificate.

> When the encrypted data arrives at the proxy, because it was encrypted

> with its proxy and not the server one, it can decrypt the data and log it.

> After that it encrypts the data with the server certificate and sends it.

> The response follows the same logic, but backwards.



> The problem I currently have with Simple is that if defined as a proxy

> in the users browser, the handshake process does not work,

> so it never receives the request encrypted with its certificate to be

> logged.



Sure, because your browsers sends an HTTP CONNECT where your proxy

server seems to expect a ClientHello for starting the SSL handshake

(different layer): that's what triggers the exceptions you get.



> This is different than a tunnel, like you referred, as in a tunnel the

> proxy only makes two SSLSockets (browser-proxy and proxy-server) and

> connects them, never seeing whats is the data flowing through, because

> its encrypted with the server certificate.



Sure, but that's the way HTTP proxy servers handle HTTPS traffic. That's

part of the protocol and you can't really get away from that. You have

to realise that what you're trying to do isn't an HTTP/HTTPS proxy and

thus won't be usable as such from the browser point of view.



You could achieve what you're trying to do by connecting to the proxy

explicitly, having it relay the connections to the actual server in the

back-end. By this I mean connect to https://your.proxy:8888/ instead of

https://your.jboss.server:8443/.





If you want this to be transparent from the browser's point of view

(whether or not using HTTP proxy server settings), you won't be able to

do it using some standard configuration, but you're going to have use

some tricks at least on one side:



- If you have control over your JBoss server, you could make it think

it's serving a port on which it's not actually listening. That's more or

less the same trick as what's used to run a Java server on a

non-privileged port and redirecting to it via iptables on a Linux box

(except that you wouldn't necessarily use iptables for the redirection,

but your proxy).

For example, you can currently run a number of Java containers on port

8443, but have them serve requests as if they were on port 443

(logically). The actual forwarding between ports 443 and 8443 would be

done with iptables. What you'd need to do is the same idea, but have

your proxy do the redirection instead of iptables. That could actually

let you use the actual server certificate if you let your proxy server

have access to it.



- If you have control over your browser instead, you might be able to

use to iptables trickery to make it think it's sending traffic to your

JBoss server when it's actually sending it to your proxy. Of course, the

proxy would sent its certificate instead of the original server.

This option can probably be a bit messy to set up.





Best wishes,



Bruno.





> 2010/5/10 Bruno Harbulot <Bru...@ma...

> <mailto:Bru...@ma...>>

>

>     Hi Fabio,

>

>     I'm not sure you see how HTTP proxy servers work. If you've configured

>     your browser to use 127.0.0.1:8888 <http://127.0.0.1:8888> as a

>     proxy, it will use CONNECT for

>     HTTPS connections. CONNECT must relay the entire TCP traffic upon which

>     is the SSL connection for this to work. An HTTP proxy server that

>     supports HTTPS doesn't have to support SSL itself.

>

>     If you want your proxy to behave like an HTTP proxy with regards to

>     HTTPS servers, it's CONNECT you need to implement, this has absolutely

>     nothing to do with SSL or any SSLContext as far as this proxy server is

>     concerned. It's just tunnelling the connection (no HTTP involved after

>     the CONNECT request/response itself).

>

>     If, alternatively, you want it to act like a reverse proxy, which would

>     relay the requests to your JBoss AS (I'm not sure if that's what you're

>     trying to do), then you'd need your browser to assume it's the actual

>     server (and thus not configure your browser to use it as an HTTP proxy).

>

>     It's not clear from what you're saying which of these two scenarios

>     you're trying to achieve. They're completely different.

>

>     Best wishes,

>

>     Bruno.



------------------------------------------------------------------------------



_______________________________________________

Simpleweb-Support mailing list

Sim...@li...

https://lists.sourceforge.net/lists/listinfo/simpleweb-support




-- 
Fábio Matos



-----Inline Attachment Follows-----

------------------------------------------------------------------------------


-----Inline Attachment Follows-----

_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

Re: [Simpleweb-Support] SSL Handshake problem

[Bruno H. <Bru...@ma...>]

Hi Fabio,

On 10/05/2010 19:09, Fábio Matos wrote:
> Hi Bruno,
>
> Thanks for your patience. I'l try be more clear about what I want to do.
>
> I want a HTTPS proxy that acts as a man-in-the-middle for logging purposes.
>
>
> Browser ----- (1) ------ Simple "Proxy" (2) ------- (3) ------- Server
>
> (1) Traffic *encrypted *with *Proxy Certificate*
> (2) Traffic *decrypted *with *Proxy Certificate* and *logged*
> (3) Traffic *encrypted *with *Server Certificate*
>
> So, with the proxy configured in the browser, when the client connects
> to a server page using HTTPS, it should be presented NOT the server
> certificate BUT the proxy certificate.
> When the encrypted data arrives at the proxy, because it was encrypted
> with its proxy and not the server one, it can decrypt the data and log it.
> After that it encrypts the data with the server certificate and sends it.
> The response follows the same logic, but backwards.

> The problem I currently have with Simple is that if defined as a proxy
> in the users browser, the handshake process does not work,
> so it never receives the request encrypted with its certificate to be
> logged.

Sure, because your browsers sends an HTTP CONNECT where your proxy 
server seems to expect a ClientHello for starting the SSL handshake 
(different layer): that's what triggers the exceptions you get.

> This is different than a tunnel, like you referred, as in a tunnel the
> proxy only makes two SSLSockets (browser-proxy and proxy-server) and
> connects them, never seeing whats is the data flowing through, because
> its encrypted with the server certificate.

Sure, but that's the way HTTP proxy servers handle HTTPS traffic. That's 
part of the protocol and you can't really get away from that. You have 
to realise that what you're trying to do isn't an HTTP/HTTPS proxy and 
thus won't be usable as such from the browser point of view.

You could achieve what you're trying to do by connecting to the proxy 
explicitly, having it relay the connections to the actual server in the 
back-end. By this I mean connect to https://your.proxy:8888/ instead of 
https://your.jboss.server:8443/.


If you want this to be transparent from the browser's point of view 
(whether or not using HTTP proxy server settings), you won't be able to 
do it using some standard configuration, but you're going to have use 
some tricks at least on one side:

- If you have control over your JBoss server, you could make it think 
it's serving a port on which it's not actually listening. That's more or 
less the same trick as what's used to run a Java server on a 
non-privileged port and redirecting to it via iptables on a Linux box 
(except that you wouldn't necessarily use iptables for the redirection, 
but your proxy).
For example, you can currently run a number of Java containers on port 
8443, but have them serve requests as if they were on port 443 
(logically). The actual forwarding between ports 443 and 8443 would be 
done with iptables. What you'd need to do is the same idea, but have 
your proxy do the redirection instead of iptables. That could actually 
let you use the actual server certificate if you let your proxy server 
have access to it.

- If you have control over your browser instead, you might be able to 
use to iptables trickery to make it think it's sending traffic to your 
JBoss server when it's actually sending it to your proxy. Of course, the 
proxy would sent its certificate instead of the original server.
This option can probably be a bit messy to set up.


Best wishes,

Bruno.


> 2010/5/10 Bruno Harbulot <Bru...@ma...
> <mailto:Bru...@ma...>>
>
>     Hi Fabio,
>
>     I'm not sure you see how HTTP proxy servers work. If you've configured
>     your browser to use 127.0.0.1:8888 <http://127.0.0.1:8888> as a
>     proxy, it will use CONNECT for
>     HTTPS connections. CONNECT must relay the entire TCP traffic upon which
>     is the SSL connection for this to work. An HTTP proxy server that
>     supports HTTPS doesn't have to support SSL itself.
>
>     If you want your proxy to behave like an HTTP proxy with regards to
>     HTTPS servers, it's CONNECT you need to implement, this has absolutely
>     nothing to do with SSL or any SSLContext as far as this proxy server is
>     concerned. It's just tunnelling the connection (no HTTP involved after
>     the CONNECT request/response itself).
>
>     If, alternatively, you want it to act like a reverse proxy, which would
>     relay the requests to your JBoss AS (I'm not sure if that's what you're
>     trying to do), then you'd need your browser to assume it's the actual
>     server (and thus not configure your browser to use it as an HTTP proxy).
>
>     It's not clear from what you're saying which of these two scenarios
>     you're trying to achieve. They're completely different.
>
>     Best wishes,
>
>     Bruno.

Re: [Simpleweb-Support] SSL Handshake problem

[Niall G. <gal...@ya...>]

Hi,
I think what Bruno is suggesting is what you want. If you like feel free to send on your proxy code and ill tell you what's wrong.
Niall

--- On Mon, 5/10/10, Fábio Matos <fab...@gm...> wrote:

From: Fábio Matos <fab...@gm...>
Subject: Re: [Simpleweb-Support] SSL Handshake problem
To: "Simple support and user issues" <sim...@li...>
Date: Monday, May 10, 2010, 11:09 AM

Hi Bruno,
Thanks for your patience. I'l try be more clear about what I want to do.
I want a HTTPS proxy that acts as a man-in-the-middle for logging purposes.



Browser ----- (1) ------ Simple "Proxy" (2) ------- (3) ------- Server
(1) Traffic encrypted with Proxy Certificate(2) Traffic decrypted with Proxy Certificate and logged

(3) Traffic encrypted with Server Certificate
So, with the proxy configured in the browser, when the client connects to a server page using HTTPS, it should be presented NOT the server certificate BUT the proxy certificate.

When the encrypted data arrives at the proxy, because it was encrypted with its proxy and not the server one, it can decrypt the data and log it.After that it encrypts the data with the server certificate and sends it.

The response follows the same logic, but backwards.
The problem I currently have with Simple is that if defined as a proxy in the users browser, the handshake process does not work, 

so it never receives the request encrypted with its certificate to be logged.
This is different than a tunnel, like you referred, as in a tunnel the proxy only makes two SSLSockets (browser-proxy and proxy-server) and connects them, never seeing whats is the data flowing through, because its encrypted with the server certificate. 


I hope I was clearer this time.
Thanks for you time.

2010/5/10 Bruno Harbulot <Bru...@ma...>


Hi Fabio,



I'm not sure you see how HTTP proxy servers work. If you've configured

your browser to use 127.0.0.1:8888 as a proxy, it will use CONNECT for

HTTPS connections. CONNECT must relay the entire TCP traffic upon which

is the SSL connection for this to work. An HTTP proxy server that

supports HTTPS doesn't have to support SSL itself.



If you want your proxy to behave like an HTTP proxy with regards to

HTTPS servers, it's CONNECT you need to implement, this has absolutely

nothing to do with SSL or any SSLContext as far as this proxy server is

concerned. It's just tunnelling the connection (no HTTP involved after

the CONNECT request/response itself).



If, alternatively, you want it to act like a reverse proxy, which would

relay the requests to your JBoss AS (I'm not sure if that's what you're

trying to do), then you'd need your browser to assume it's the actual

server (and thus not configure your browser to use it as an HTTP proxy).



It's not clear from what you're saying which of these two scenarios

you're trying to achieve. They're completely different.



Best wishes,



Bruno.





On 10/05/10 17:55, Fábio Matos wrote:

> Hello Bruno,

>

> I know what you said, but doesn't simple already supports this with the

> use of the SSLContext as I explained?

>

> This is the cenario:

>

> Browser ----- Simple "Proxy" (with proxy certificate) ----- JBoss AS

> (server certificate and webpage in root, port 8443)

>

> If I access https://127.0.0.1:8443, and defined the browser proxy to

> 127.0.0.1:8888 <http://127.0.0.1:8888> as explained, I was expecting to

> see simple

> providing the proxy certificate to the browser and after acceptance the

> request should arrive at the handler.

> Am I mistaken on this assumptions? Is this event possible with Simple?

> If not, where should I start to look in simple source code to make it

> possible?

>

> Thanks.

>

> 2010/5/10 Bruno Harbulot <Bru...@ma...

> <mailto:Bru...@ma...>>

>

>     Hi Fábio,

>

>     HTTP proxy servers, when relaying an HTTPS connection, are not the SSL

>     end-point. They use the 'CONNECT' verb to relay to connection directly

>     to the requested HTTPS server. If they were allowed to intercept the

>     initial connection and then re-emit it to the intended server, they

>     would act as a man-in-the-middle, which is what SSL is designed to

>     prevent.

>

>     If you want to design an HTTP proxy that supports SSL connections, you

>     need to support the CONNECT verb, which on the server-side simply

>     tunnels the connection to the destination server, and on the client-side

>     starts the handshake after receiving the 200 status code from CONNECT.

>

>     Best wishes,

>

>     Bruno.

>

>

>     On 10/05/10 17:20, Fábio Matos wrote:

>      > Hello,

>      >

>      > I'm trying to make a man-in-the-middle ssl proxy using simple and

>     apache

>      > httpclient.

>      >

>      > Basicly, I receive the request in the simple handler, convert it to a

>      > httpclient request, send it, convert the httpclient response to

>     simple

>      > response and voilá, I got myself a proxy.

>      > This is working perfectly using HTTP.

>      >

>      > The next step was adding HTTPS support.

>      > To do so I created a self-signed certificate/keystore, loaded it

>     up in a

>      > SSLContext and feed it to connection.connect method.

>      >

>      > And we arrive to the reason of this post. The port set in simple

>     is 8888.

>      >

>      > I have two behaviors:

>      >

>      > 1.

>      > If I access the https://127.0.0.1:8888 directly it shows me the

>      > certificate warning (self-signed), I accept it and the handler

>     receives

>      > the unencrypted request just  fine.

>      >

>      > 2.

>      > If I set the browser proxy to 127.0.0.1:8888

>     <http://127.0.0.1:8888> <http://127.0.0.1:8888> in

>      > all protocols so, like in the HTTP case, every package passes by the

>      > simple handler, access a https website and the following error occurs

>      > multiple times and empty response is returned:

>      >

>      > Using SSLEngineImpl.

>      > Notifier-0, fatal error: 80: problem unwrapping net record

>      > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext

>     connection?

>      > Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error

>      > Notifier-0, WRITE: TLSv1 Alert, length = 2

>      >

>      > I saw the related post about the release of Simple 4.1.20 that should

>      > fix an SSL problem and I'm using that version.

>      > I tried it with the example shown in that post and it also gives

>     me the

>      > referred error.

>      >

>      > Can you please give me any help on this? Is this a bug or a

>      > configuration error?

>      >

>      > Thanks in advance.

>      >

>      > --

>      > Fábio Matos

>      >



------------------------------------------------------------------------------



_______________________________________________

Simpleweb-Support mailing list

Sim...@li...

https://lists.sourceforge.net/lists/listinfo/simpleweb-support




-- 
Fábio Matos



-----Inline Attachment Follows-----

------------------------------------------------------------------------------


-----Inline Attachment Follows-----

_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

Re: [Simpleweb-Support] SSL Handshake problem

[Fábio M. <fab...@gm...>]

Hi Bruno,

Thanks for your patience. I'l try be more clear about what I want to do.

I want a HTTPS proxy that acts as a man-in-the-middle for logging purposes.


Browser ----- (1) ------ Simple "Proxy" (2) ------- (3) ------- Server

(1) Traffic *encrypted *with *Proxy Certificate*
(2) Traffic *decrypted *with *Proxy Certificate* and *logged*
(3) Traffic *encrypted *with *Server Certificate*

So, with the proxy configured in the browser, when the client connects to a
server page using HTTPS, it should be presented NOT the server certificate
BUT the proxy certificate.
When the encrypted data arrives at the proxy, because it was encrypted with
its proxy and not the server one, it can decrypt the data and log it.
After that it encrypts the data with the server certificate and sends it.
The response follows the same logic, but backwards.

The problem I currently have with Simple is that if defined as a proxy in
the users browser, the handshake process does not work,
so it never receives the request encrypted with its certificate to be
logged.

This is different than a tunnel, like you referred, as in a tunnel the proxy
only makes two SSLSockets (browser-proxy and proxy-server) and connects
them, never seeing whats is the data flowing through, because its encrypted
with the server certificate.

I hope I was clearer this time.

Thanks for you time.


2010/5/10 Bruno Harbulot <Bru...@ma...>

> Hi Fabio,
>
> I'm not sure you see how HTTP proxy servers work. If you've configured
> your browser to use 127.0.0.1:8888 as a proxy, it will use CONNECT for
> HTTPS connections. CONNECT must relay the entire TCP traffic upon which
> is the SSL connection for this to work. An HTTP proxy server that
> supports HTTPS doesn't have to support SSL itself.
>
> If you want your proxy to behave like an HTTP proxy with regards to
> HTTPS servers, it's CONNECT you need to implement, this has absolutely
> nothing to do with SSL or any SSLContext as far as this proxy server is
> concerned. It's just tunnelling the connection (no HTTP involved after
> the CONNECT request/response itself).
>
> If, alternatively, you want it to act like a reverse proxy, which would
> relay the requests to your JBoss AS (I'm not sure if that's what you're
> trying to do), then you'd need your browser to assume it's the actual
> server (and thus not configure your browser to use it as an HTTP proxy).
>
> It's not clear from what you're saying which of these two scenarios
> you're trying to achieve. They're completely different.
>
> Best wishes,
>
> Bruno.
>
>
> On 10/05/10 17:55, Fábio Matos wrote:
> > Hello Bruno,
> >
> > I know what you said, but doesn't simple already supports this with the
> > use of the SSLContext as I explained?
> >
> > This is the cenario:
> >
> > Browser ----- Simple "Proxy" (with proxy certificate) ----- JBoss AS
> > (server certificate and webpage in root, port 8443)
> >
> > If I access https://127.0.0.1:8443, and defined the browser proxy to
> > 127.0.0.1:8888 <http://127.0.0.1:8888> as explained, I was expecting to
> > see simple
> > providing the proxy certificate to the browser and after acceptance the
> > request should arrive at the handler.
> > Am I mistaken on this assumptions? Is this event possible with Simple?
> > If not, where should I start to look in simple source code to make it
> > possible?
> >
> > Thanks.
> >
> > 2010/5/10 Bruno Harbulot <Bru...@ma...
> > <mailto:Bru...@ma...>>
> >
> >     Hi Fábio,
> >
> >     HTTP proxy servers, when relaying an HTTPS connection, are not the
> SSL
> >     end-point. They use the 'CONNECT' verb to relay to connection
> directly
> >     to the requested HTTPS server. If they were allowed to intercept the
> >     initial connection and then re-emit it to the intended server, they
> >     would act as a man-in-the-middle, which is what SSL is designed to
> >     prevent.
> >
> >     If you want to design an HTTP proxy that supports SSL connections,
> you
> >     need to support the CONNECT verb, which on the server-side simply
> >     tunnels the connection to the destination server, and on the
> client-side
> >     starts the handshake after receiving the 200 status code from
> CONNECT.
> >
> >     Best wishes,
> >
> >     Bruno.
> >
> >
> >     On 10/05/10 17:20, Fábio Matos wrote:
> >      > Hello,
> >      >
> >      > I'm trying to make a man-in-the-middle ssl proxy using simple and
> >     apache
> >      > httpclient.
> >      >
> >      > Basicly, I receive the request in the simple handler, convert it
> to a
> >      > httpclient request, send it, convert the httpclient response to
> >     simple
> >      > response and voilá, I got myself a proxy.
> >      > This is working perfectly using HTTP.
> >      >
> >      > The next step was adding HTTPS support.
> >      > To do so I created a self-signed certificate/keystore, loaded it
> >     up in a
> >      > SSLContext and feed it to connection.connect method.
> >      >
> >      > And we arrive to the reason of this post. The port set in simple
> >     is 8888.
> >      >
> >      > I have two behaviors:
> >      >
> >      > 1.
> >      > If I access the https://127.0.0.1:8888 directly it shows me the
> >      > certificate warning (self-signed), I accept it and the handler
> >     receives
> >      > the unencrypted request just  fine.
> >      >
> >      > 2.
> >      > If I set the browser proxy to 127.0.0.1:8888
> >     <http://127.0.0.1:8888> <http://127.0.0.1:8888> in
> >      > all protocols so, like in the HTTP case, every package passes by
> the
> >      > simple handler, access a https website and the following error
> occurs
> >      > multiple times and empty response is returned:
> >      >
> >      > Using SSLEngineImpl.
> >      > Notifier-0, fatal error: 80: problem unwrapping net record
> >      > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
> >     connection?
> >      > Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error
> >      > Notifier-0, WRITE: TLSv1 Alert, length = 2
> >      >
> >      > I saw the related post about the release of Simple 4.1.20 that
> should
> >      > fix an SSL problem and I'm using that version.
> >      > I tried it with the example shown in that post and it also gives
> >     me the
> >      > referred error.
> >      >
> >      > Can you please give me any help on this? Is this a bug or a
> >      > configuration error?
> >      >
> >      > Thanks in advance.
> >      >
> >      > --
> >      > Fábio Matos
> >      >
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>



-- 
Fábio Matos

Re: [Simpleweb-Support] SSL Handshake problem

[Bruno H. <Bru...@ma...>]

Hi Fabio,

I'm not sure you see how HTTP proxy servers work. If you've configured 
your browser to use 127.0.0.1:8888 as a proxy, it will use CONNECT for 
HTTPS connections. CONNECT must relay the entire TCP traffic upon which 
is the SSL connection for this to work. An HTTP proxy server that 
supports HTTPS doesn't have to support SSL itself.

If you want your proxy to behave like an HTTP proxy with regards to 
HTTPS servers, it's CONNECT you need to implement, this has absolutely 
nothing to do with SSL or any SSLContext as far as this proxy server is 
concerned. It's just tunnelling the connection (no HTTP involved after 
the CONNECT request/response itself).

If, alternatively, you want it to act like a reverse proxy, which would 
relay the requests to your JBoss AS (I'm not sure if that's what you're 
trying to do), then you'd need your browser to assume it's the actual 
server (and thus not configure your browser to use it as an HTTP proxy).

It's not clear from what you're saying which of these two scenarios 
you're trying to achieve. They're completely different.

Best wishes,

Bruno.


On 10/05/10 17:55, Fábio Matos wrote:
> Hello Bruno,
>
> I know what you said, but doesn't simple already supports this with the
> use of the SSLContext as I explained?
>
> This is the cenario:
>
> Browser ----- Simple "Proxy" (with proxy certificate) ----- JBoss AS
> (server certificate and webpage in root, port 8443)
>
> If I access https://127.0.0.1:8443, and defined the browser proxy to
> 127.0.0.1:8888 <http://127.0.0.1:8888> as explained, I was expecting to
> see simple
> providing the proxy certificate to the browser and after acceptance the
> request should arrive at the handler.
> Am I mistaken on this assumptions? Is this event possible with Simple?
> If not, where should I start to look in simple source code to make it
> possible?
>
> Thanks.
>
> 2010/5/10 Bruno Harbulot <Bru...@ma...
> <mailto:Bru...@ma...>>
>
>     Hi Fábio,
>
>     HTTP proxy servers, when relaying an HTTPS connection, are not the SSL
>     end-point. They use the 'CONNECT' verb to relay to connection directly
>     to the requested HTTPS server. If they were allowed to intercept the
>     initial connection and then re-emit it to the intended server, they
>     would act as a man-in-the-middle, which is what SSL is designed to
>     prevent.
>
>     If you want to design an HTTP proxy that supports SSL connections, you
>     need to support the CONNECT verb, which on the server-side simply
>     tunnels the connection to the destination server, and on the client-side
>     starts the handshake after receiving the 200 status code from CONNECT.
>
>     Best wishes,
>
>     Bruno.
>
>
>     On 10/05/10 17:20, Fábio Matos wrote:
>      > Hello,
>      >
>      > I'm trying to make a man-in-the-middle ssl proxy using simple and
>     apache
>      > httpclient.
>      >
>      > Basicly, I receive the request in the simple handler, convert it to a
>      > httpclient request, send it, convert the httpclient response to
>     simple
>      > response and voilá, I got myself a proxy.
>      > This is working perfectly using HTTP.
>      >
>      > The next step was adding HTTPS support.
>      > To do so I created a self-signed certificate/keystore, loaded it
>     up in a
>      > SSLContext and feed it to connection.connect method.
>      >
>      > And we arrive to the reason of this post. The port set in simple
>     is 8888.
>      >
>      > I have two behaviors:
>      >
>      > 1.
>      > If I access the https://127.0.0.1:8888 directly it shows me the
>      > certificate warning (self-signed), I accept it and the handler
>     receives
>      > the unencrypted request just  fine.
>      >
>      > 2.
>      > If I set the browser proxy to 127.0.0.1:8888
>     <http://127.0.0.1:8888> <http://127.0.0.1:8888> in
>      > all protocols so, like in the HTTP case, every package passes by the
>      > simple handler, access a https website and the following error occurs
>      > multiple times and empty response is returned:
>      >
>      > Using SSLEngineImpl.
>      > Notifier-0, fatal error: 80: problem unwrapping net record
>      > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
>     connection?
>      > Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error
>      > Notifier-0, WRITE: TLSv1 Alert, length = 2
>      >
>      > I saw the related post about the release of Simple 4.1.20 that should
>      > fix an SSL problem and I'm using that version.
>      > I tried it with the example shown in that post and it also gives
>     me the
>      > referred error.
>      >
>      > Can you please give me any help on this? Is this a bug or a
>      > configuration error?
>      >
>      > Thanks in advance.
>      >
>      > --
>      > Fábio Matos
>      >

Re: [Simpleweb-Support] SSL Handshake problem

[Fábio M. <fab...@gm...>]

Hello Bruno,

I know what you said, but doesn't simple already supports this with the use
of the SSLContext as I explained?

This is the cenario:

Browser ----- Simple "Proxy" (with proxy certificate) ----- JBoss AS (server
certificate and webpage in root, port 8443)

If I access https://127.0.0.1:8443, and defined the browser proxy to
127.0.0.1:8888 as explained, I was expecting to see simple
providing the proxy certificate to the browser and after acceptance the
request should arrive at the handler.
Am I mistaken on this assumptions? Is this event possible with Simple? If
not, where should I start to look in simple source code to make it possible?

Thanks.

2010/5/10 Bruno Harbulot <Bru...@ma...>

> Hi Fábio,
>
> HTTP proxy servers, when relaying an HTTPS connection, are not the SSL
> end-point. They use the 'CONNECT' verb to relay to connection directly
> to the requested HTTPS server. If they were allowed to intercept the
> initial connection and then re-emit it to the intended server, they
> would act as a man-in-the-middle, which is what SSL is designed to prevent.
>
> If you want to design an HTTP proxy that supports SSL connections, you
> need to support the CONNECT verb, which on the server-side simply
> tunnels the connection to the destination server, and on the client-side
> starts the handshake after receiving the 200 status code from CONNECT.
>
> Best wishes,
>
> Bruno.
>
>
> On 10/05/10 17:20, Fábio Matos wrote:
> > Hello,
> >
> > I'm trying to make a man-in-the-middle ssl proxy using simple and apache
> > httpclient.
> >
> > Basicly, I receive the request in the simple handler, convert it to a
> > httpclient request, send it, convert the httpclient response to simple
> > response and voilá, I got myself a proxy.
> > This is working perfectly using HTTP.
> >
> > The next step was adding HTTPS support.
> > To do so I created a self-signed certificate/keystore, loaded it up in a
> > SSLContext and feed it to connection.connect method.
> >
> > And we arrive to the reason of this post. The port set in simple is 8888.
> >
> > I have two behaviors:
> >
> > 1.
> > If I access the https://127.0.0.1:8888 directly it shows me the
> > certificate warning (self-signed), I accept it and the handler receives
> > the unencrypted request just  fine.
> >
> > 2.
> > If I set the browser proxy to 127.0.0.1:8888 <http://127.0.0.1:8888> in
> > all protocols so, like in the HTTP case, every package passes by the
> > simple handler, access a https website and the following error occurs
> > multiple times and empty response is returned:
> >
> > Using SSLEngineImpl.
> > Notifier-0, fatal error: 80: problem unwrapping net record
> > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
> connection?
> > Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error
> > Notifier-0, WRITE: TLSv1 Alert, length = 2
> >
> > I saw the related post about the release of Simple 4.1.20 that should
> > fix an SSL problem and I'm using that version.
> > I tried it with the example shown in that post and it also gives me the
> > referred error.
> >
> > Can you please give me any help on this? Is this a bug or a
> > configuration error?
> >
> > Thanks in advance.
> >
> > --
> > Fábio Matos
> >
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>



-- 
Fábio Matos

Re: [Simpleweb-Support] SSL Handshake problem

[Bruno H. <Bru...@ma...>]

Hi Fábio,

HTTP proxy servers, when relaying an HTTPS connection, are not the SSL 
end-point. They use the 'CONNECT' verb to relay to connection directly 
to the requested HTTPS server. If they were allowed to intercept the 
initial connection and then re-emit it to the intended server, they 
would act as a man-in-the-middle, which is what SSL is designed to prevent.

If you want to design an HTTP proxy that supports SSL connections, you 
need to support the CONNECT verb, which on the server-side simply 
tunnels the connection to the destination server, and on the client-side 
starts the handshake after receiving the 200 status code from CONNECT.

Best wishes,

Bruno.


On 10/05/10 17:20, Fábio Matos wrote:
> Hello,
>
> I'm trying to make a man-in-the-middle ssl proxy using simple and apache
> httpclient.
>
> Basicly, I receive the request in the simple handler, convert it to a
> httpclient request, send it, convert the httpclient response to simple
> response and voilá, I got myself a proxy.
> This is working perfectly using HTTP.
>
> The next step was adding HTTPS support.
> To do so I created a self-signed certificate/keystore, loaded it up in a
> SSLContext and feed it to connection.connect method.
>
> And we arrive to the reason of this post. The port set in simple is 8888.
>
> I have two behaviors:
>
> 1.
> If I access the https://127.0.0.1:8888 directly it shows me the
> certificate warning (self-signed), I accept it and the handler receives
> the unencrypted request just  fine.
>
> 2.
> If I set the browser proxy to 127.0.0.1:8888 <http://127.0.0.1:8888> in
> all protocols so, like in the HTTP case, every package passes by the
> simple handler, access a https website and the following error occurs
> multiple times and empty response is returned:
>
> Using SSLEngineImpl.
> Notifier-0, fatal error: 80: problem unwrapping net record
> javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
> Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error
> Notifier-0, WRITE: TLSv1 Alert, length = 2
>
> I saw the related post about the release of Simple 4.1.20 that should
> fix an SSL problem and I'm using that version.
> I tried it with the example shown in that post and it also gives me the
> referred error.
>
> Can you please give me any help on this? Is this a bug or a
> configuration error?
>
> Thanks in advance.
>
> --
> Fábio Matos
>

[Simpleweb-Support] SSL Handshake problem

[Fábio M. <fab...@gm...>]

Hello,

I'm trying to make a man-in-the-middle ssl proxy using simple and apache
httpclient.

Basicly, I receive the request in the simple handler, convert it to a
httpclient request, send it, convert the httpclient response to simple
response and voilá, I got myself a proxy.
This is working perfectly using HTTP.

The next step was adding HTTPS support.
To do so I created a self-signed certificate/keystore, loaded it up in a
SSLContext and feed it to connection.connect method.

And we arrive to the reason of this post. The port set in simple is 8888.

I have two behaviors:

1.
If I access the https://127.0.0.1:8888 directly it shows me the certificate
warning (self-signed), I accept it and the handler receives the unencrypted
request just  fine.

2.
If I set the browser proxy to 127.0.0.1:8888 in all protocols so, like in
the HTTP case, every package passes by the simple handler, access a https
website and the following error occurs multiple times and empty response is
returned:

Using SSLEngineImpl.
Notifier-0, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Notifier-0, SEND TLSv1 ALERT:  fatal, description = internal_error
Notifier-0, WRITE: TLSv1 Alert, length = 2


I saw the related post about the release of Simple 4.1.20 that should fix an
SSL problem and I'm using that version.
I tried it with the example shown in that post and it also gives me the
referred error.

Can you please give me any help on this? Is this a bug or a configuration
error?

Thanks in advance.

-- 
Fábio Matos

Re: [Simpleweb-Support] What is the correct way to set the Content-Length?

[<sim...@br...>]

Niall,

I figured out what was happening.

If I set the body content before setting the Content-Length, then 
Transfer-Encoding gets set to "chunked", if I set the Content-Length 
first, then Transfer-Encoding is not set and all is well.

I did notice that either way the Content-Length was actually in the 
header (according to the toString() output), but I guess that 
Firefox/HttpFox would ignore it as well as the Apache HTTP Client libraries.

Thank you for your help! It is greatly appreciated!

Jeffrey

nia...@rb... said the following on 4/23/2010 3:42 AM:
> Hi,
>
> Both should be valid, however the HTTP response delimeter depends on several things. The protocol version, whether you have conflicting response delimeter headers. To find out for sure what you are sending to a Response.toString() after the Response.commit(), this will give you what was put on the wire.
>
> Don't forget, that HTTP proxies etc can modify the HTTP header so a Content-Length may get stripped. I will take a look just to be 100% sure, but I don't think there is ant bug here if you are using version 4.1.20.
>
> Regards,
> Niall
>
> -----Original Message-----
> From: sim...@br... [mailto:sim...@br...]
> Sent: 22 April 2010 20:29
> To: Sim...@li...
> Subject: [Simpleweb-Support] What is the correct way to set the Content-Length?
>
> I seemed to either have found a bug (doubtful) or I am just plain missing the boat.
>
> What is the correct way to set the Content-Length?
>
> I've over-ridden public void handle(Request request, Response response) in Resource.
>
> In this method, I have tried:
> response.set("Content-Length", int length);
>
> And I've tried
> public void setContentLength(int length);
>
> Neither set the content length (at least according to Firefox HttpFox).
>
> So what is the correct method?
>
> Jeffrey A. Krzysztow
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
> ***********************************************************************************
> The Royal Bank of Scotland plc. Registered in Scotland No 90312.
> Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.
> Authorised and regulated by the Financial Services Authority. The
> Royal Bank of Scotland N.V. is authorised and regulated by the
> De Nederlandsche Bank and has its seat at Amsterdam, the
> Netherlands, and is registered in the Commercial Register under
> number 33002587. Registered Office: Gustav Mahlerlaan 10,
> Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and
> The Royal Bank of Scotland plc are authorised to act as agent for each
> other in certain jurisdictions.
>
> This e-mail message is confidential and for use by the addressee only.
> If the message is received by anyone other than the addressee, please
> return the message to the sender by replying to it and then delete the
> message from your computer. Internet e-mails are not necessarily
> secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland
> N.V. including its affiliates ("RBS group") does not accept responsibility
> for changes made to this message after it was sent.
>
> Whilst all reasonable care has been taken to avoid the transmission of
> viruses, it is the responsibility of the recipient to ensure that the onward
> transmission, opening or use of this message and any attachments will
> not adversely affect its systems or data. No responsibility is accepted
> by the RBS group in this regard and the recipient should carry out such
> virus and other checks as it considers appropriate.
>
> Visit our website at www.rbs.com
>
> ***********************************************************************************
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>    

Re: [Simpleweb-Support] What is the correct way to set the Content-Length?

[<nia...@rb...>]

Hi,

Both should be valid, however the HTTP response delimeter depends on several things. The protocol version, whether you have conflicting response delimeter headers. To find out for sure what you are sending to a Response.toString() after the Response.commit(), this will give you what was put on the wire.

Don't forget, that HTTP proxies etc can modify the HTTP header so a Content-Length may get stripped. I will take a look just to be 100% sure, but I don't think there is ant bug here if you are using version 4.1.20. 

Regards,
Niall

-----Original Message-----
From: sim...@br... [mailto:sim...@br...] 
Sent: 22 April 2010 20:29
To: Sim...@li...
Subject: [Simpleweb-Support] What is the correct way to set the Content-Length?

I seemed to either have found a bug (doubtful) or I am just plain missing the boat.

What is the correct way to set the Content-Length?

I've over-ridden public void handle(Request request, Response response) in Resource.

In this method, I have tried:
response.set("Content-Length", int length);

And I've tried
public void setContentLength(int length);

Neither set the content length (at least according to Firefox HttpFox).

So what is the correct method?

Jeffrey A. Krzysztow

------------------------------------------------------------------------------
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support

***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************

Re: [Simpleweb-Support] Problems with Address getDomain getPort

[<nia...@rb...>]

Hi,

The getAddress method returns the request line address, which is a URI as defined by the RFC. A URI can be absolute or relative. For a HTTP proxy it will be absolute, for a HTTP web server it will be relative.

If you would like to know how the URL came in, then the HTTP/1.1 specification RFC 2616 requires that the "Host" header is set with all requests. Try this.

String host = req.getValue("Host");

Then, if you like you can parse it like so.

Address hostAddress = new AddressParser(host);
String domain = hostAddress.getDomain();
String port = hostAddress.getPort();

If the host is missing for a HTTP/1.1 request then set an error response Status.BAD_REQUEST back to the client (this is how it should be done). Your local address is.

hostAddress.toString() + req.getTarget()

That should be enough to find the target address.

Hope this helps,
Niall

Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454



________________________________
From: Ryan Daum [mailto:ry...@th...]
Sent: 22 April 2010 17:48
To: Sim...@li...
Subject: [Simpleweb-Support] Problems with Address getDomain getPort

I have an application that was using the Jersey simple server wrapper, and I'm converting it to use simpleframework directly.

In Jersey/JAX-RS I was reading the URL host/port from its Request, and using that to write some absolute URLs pointing back to my server. I am trying to do the same thing using just simpleframework and running into issues.

Basically when I hit the server and look in the debugger getTarget is returning a URL without protocol, host, or port, just the path.  Likewise, when I use getAddress.getDomain it returns null and getPort returns -1.  This is just plainly false.

I'm trying to figure out what I could be doing wrong.  I read through the Jersey simple framework source and I don't see any difference between the way they're using the framework and the way I am.

Here's my (Scala) code for starting my server:

        container = new ResourceContainer(this)
        connection = new SocketConnection(container)
        val address = new InetSocketAddress(7070)
        connection.connect(address)

"this" is:

class HttpContainer extends ResourceEngine with Log {

and the resolve method returns, for one example:

object healthCheckResource  extends ServerResource {
    def perform(request:Request, response:Response) : Unit = {
        val host: String = request.getAddress.getDomain
        val port: Int = request.getAddress.getPort
        val address = localAddress(request)
        ...
   }
}

and 'localAddress' method is:

def localAddress(req: Request) : String = {
        val port = req.getAddress.getPath
        val hostName = req.getAddress.getDomain
        if (port == -1) hostName else hostName + ":" + port
}


***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************

[Simpleweb-Support] What is the correct way to set the Content-Length?

[<sim...@br...>]

I seemed to either have found a bug (doubtful) or I am just plain 
missing the boat.

What is the correct way to set the Content-Length?

I've over-ridden public void handle(Request request, Response response) 
in Resource.

In this method, I have tried:
response.set("Content-Length", int length);

And I've tried
public void setContentLength(int length);

Neither set the content length (at least according to Firefox HttpFox).

So what is the correct method?

Jeffrey A. Krzysztow

[Simpleweb-Support] Problems with Address getDomain getPort

[Ryan D. <ry...@th...>]

I have an application that was using the Jersey simple server wrapper, and
I'm converting it to use simpleframework directly.

In Jersey/JAX-RS I was reading the URL host/port from its Request, and using
that to write some absolute URLs pointing back to my server. I am trying to
do the same thing using just simpleframework and running into issues.

Basically when I hit the server and look in the debugger getTarget is
returning a URL without protocol, host, or port, just the path.  Likewise,
when I use getAddress.getDomain it returns null and getPort returns -1.
 This is just plainly false.

I'm trying to figure out what I could be doing wrong.  I read through the
Jersey simple framework source and I don't see any difference between the
way they're using the framework and the way I am.

Here's my (Scala) code for starting my server:

        container = new ResourceContainer(this)
        connection = new SocketConnection(container)
        val address = new InetSocketAddress(7070)
        connection.connect(address)

"this" is:

class HttpContainer extends ResourceEngine with Log {

and the resolve method returns, for one example:

object healthCheckResource  extends ServerResource {
    def perform(request:Request, response:Response) : Unit = {
        val host: String = request.getAddress.getDomain
        val port: Int = request.getAddress.getPort
        val address = localAddress(request)
        ...
   }
}

and 'localAddress' method is:

def localAddress(req: Request) : String = {
        val port = req.getAddress.getPath
        val hostName = req.getAddress.getDomain
        if (port == -1) hostName else hostName + ":" + port
}

Re: [Simpleweb-Support] Are filters supported?

[Jerome L. <jer...@no...>]

Hi Björn,

You can also have a look at the Restlet Framework, a RESTful web framework
offering a fully featured routing API, including filters, as well as a
security API mapping HTTP semantics (including DIGEST) to a simple Java API:
http://www.restlet.org

We also leverage Simple as a standalone HTTP server connector.

Best regards,
Jerome Louvel
--
Restlet ~ Founder and Technical Lead ~ http://www.restlet.org
Noelios Technologies ~ http://www.noelios.com



-----Message d'origine-----
De : Brad McEvoy [mailto:br...@br...] 
Envoyé : lundi 5 avril 2010 22:42
À : Simple support and user issues
Objet : Re: [Simpleweb-Support] Are filters supported?

Hi Björn,

I just saw your comment about webdav and digest authentication. I'm the 
author of milton, which is a server side webdav library, which supports 
digest. It's normally used as a servlet, but also has an adapter for 
simplehttp. And it has filters :)

See http://milton.ettrema.com

Cheers,
Brad

Björn Raupach wrote:
> Hi,
>
> does simple support containers that act like filters in the Java Servlet
specification?
>
> I implemented parts of digest access authentication and webDAV. However it
all ended up in one big container. It works, but it looks rather chunky. I
would like to modularize the code, e.g. digest access authentication is
probably nice in some other projects. Any ideas?
>
> with kind regards,
> Björn
>
----------------------------------------------------------------------------
--
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>    


----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support

Re: [Simpleweb-Support] Are filters supported?

[Brad M. <br...@br...>]

Hi Björn,

I just saw your comment about webdav and digest authentication. I'm the 
author of milton, which is a server side webdav library, which supports 
digest. It's normally used as a servlet, but also has an adapter for 
simplehttp. And it has filters :)

See http://milton.ettrema.com

Cheers,
Brad

Björn Raupach wrote:
> Hi,
>
> does simple support containers that act like filters in the Java Servlet specification?
>
> I implemented parts of digest access authentication and webDAV. However it all ended up in one big container. It works, but it looks rather chunky. I would like to modularize the code, e.g. digest access authentication is probably nice in some other projects. Any ideas?
>
> with kind regards,
> Björn
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>