Problems with SSL via Proxy

Mohammed Rakhada morakhad at cisco.com
Thu Sep 22 10:27:16 UTC 2011


Hello Dmitry,

The patch worked fine for me. Thanks for this. I'll continue to test and
if it uncovers anything unusual I'll let you know.

Thanks for your help and prompt fix.

Regards,

Mohammed Rakhada

-----Original Message-----
From: Dmitry Kurochkin <dmitry.kurochkin at measurement-factory.com>
To: morakhad at cisco.com, users <users at web-polygraph.org>
Subject: Re: Problems with SSL via Proxy
Date: Thu, 22 Sep 2011 13:40:11 +0400


Hi Mohammed.

On Wed, 21 Sep 2011 20:45:48 +0100, Mohammed Rakhada <morakhad at cisco.com> wrote:
> Hello,
> 
> I am having trouble trying to use Web Polygraph with a Proxy.
> 
> I seem to have tracked it down to Web Polygraph not sending a Host
> Header with the request and so the Proxy rejects the connections.
> 
> I have captured the network traffic during this to see what is happening
> and I can see that for a request sent from my browser the Host Header is
> sent but not when a request comes from Web Polygraph.
> 

This is a bug indeed.  Polygraph never sends Host header in CONNECT
requests, though RFC 2616 requires client to send Host header in any
HTTP/1.1 request.  Apparently, many proxies ignore the missing Host
header and use the URI.

Please try the attached patch and let me know if it helps.

Regards,
  Dmitry

> >From Web Polygraph to Proxy:
> 
> CONNECT 192.168.29.104:443 HTTP/1.1
> Proxy-Connection: close
> 
> >From Browser to Proxy:
> 
> CONNECT 192.168.29.104:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.22)
> Gecko/20110905 Ubuntu/10.04 (lucid) Firefox/3.6.22
> Proxy-Connection: keep-alive
> Host: 192.168.29.104
> 
> Here is an extract from my polygraph.pg file so you can see what I am
> trying to do. Is there some configuration missing? Been stuck on this
> problem for a while, originally had a problem trying to jsut run basic
> SSL tests. When going direct from Client to Server (no proxy involved),
> web-polygraph runs fine. If you require any further information please
> do let me know.
> 
> I am running v 4.4.0.
> 
> SslWrap wrap = {
> 	protocols = [ "SSLv3", "TLSv1" ];
> 	root_certificate = "/opt/home/user/CA-priv+pub.pem";
> 	ciphers = [ "ALL:HIGH: !SSLv2: !aNULL: !AES128-SHA: !AES256-SHA:":
> 100% ];
>     	rsa_key_sizes = [ 512bit, 1024bit, 2048bit ];
> 	ssl_config_file = "/opt/home/user/myssl.conf";
>     	session_resumption = 40%;
>     	session_cache = 100;
> };
> 
> 
> DnsResolver dr = {
>     servers = [ '127.0.0.1:53' ];
>     timeout = 5sec;
> };
> 
> 
> Server PlainServer = {
>         kind = "HTTP";
>         contents = [ cntJPG: 26%, cntGIF: 28%, cntPNG: 9%, cntPDF:
> 0.05%, cntZIP: 0.22%, cntMalware, cntEXE: 0.43%, cntSWF: 1.9%,
> cntJavascript: 32% ];
>         direct_access = contents;
> 	addresses = [ '192.168.29.104:8080' , '192.168.29.104:80' ];
> };
> 
> Server SSL = PlainServer;
> 
> SSL = {
> 	kind = "HTTPS";
> 	addresses = [ '192.168.29.104:443' ];
> 	ssl_wraps = [ wrap ];
> };
> 
> Robot R = {
>         kind = "robot";
>         pop_model = { pop_distr = popUnif(); };
>         recurrence = 15% ;
>         req_rate = 1/sec;
> 	ssl_wraps = [ wrap ]; 
> 	origins = [ PlainServer.addresses, SSL.addresses ];
>          http_proxies = [ '192.168.111.42:8080' ];
> 	addresses = [ '192.168.29.101' ** 200 , '192.168.29.103' ** 5 ,
> '192.168.29.105' ** 2 , '192.168.29.107'  ** 200, '192.168.29.109' **
> 200 , '192.168.29.111' ** 200 , '192.168.29.113' ** 200 ,
> '192.168.29.115' ** 200 ];
> };
> 
> use (hostnames);
> use (SSL,PlainServer,R);
> 
> _______________________________________________
> Users mailing list
> Users at web-polygraph.org
> http://www.web-polygraph.org/mailman/listinfo/users

differences between files attachment
(http-connect-host-header-v4.4.0.patch)

http-connect-host-header-v4.4.0.patch - patch for Web Polygraph v4.4.0

    Send Host header in HTTP CONNECT requests.

    Per RFC 2616, a client MUST include a Host header field in all
    HTTP/1.1 request messages.  Before the change, Polygraph did not
    send Host header in CONNECT requests.

diff --git src/client/HttpCltXact.cc src/client/HttpCltXact.cc
index 018389f..76ec454 100644
--- src/client/HttpCltXact.cc
+++ src/client/HttpCltXact.cc
@@ -344,40 +344,45 @@ bool HttpCltXact::controlledPostWrite(Size &size, bool &needMore) {
 	return true;
 }
 
 void HttpCltXact::makeReq(WrBuf &buf) {
 	ofixedstream os(buf.space(), buf.spaceSize());
 
 	if (theState == stConnWaiting) {
 		if (theOid.connect())
 			makeConnectReq(os);
 		else
 			makeExplicitReq(os);
 		newState(stSpaceWaiting);
 	}
 }
 
 // make a CONNECT request
 void HttpCltXact::makeConnectReq(ostream &os) {
 	os << rlpConnect;
 	Oid2UrlHost(theOid, true, os);
 	makeReqVersion(os);
+
+	os << hfpHost;
+	Oid2UrlHost(theOid, true, os);
+	os << crlf;
+
 	makeHopByHopHdrs(os);
 
 	static int reqCount = 0;
 	finishReqHdrs(os, !reqCount++);
 
 	// no body for CONNECT requests
 	theReqOid.type(TheBodilessContentId);
 }
 
 // make a non-CONNECT request
 void HttpCltXact::makeExplicitReq(ostream &os) {
 	Assert(the100ContinueState == csNone);
 	Assert(!theReqContentCfg);
 	Assert(!theBodyIter);
 	// decide whether the request should have a body
 	if (theOid.post() || theOid.put()) {
 		theReqSize.expectedBody(true);
 		theReqContentCfg = theOwner->selectReqContent(theOid, theReqOid);
 		theBodyIter = theReqContentCfg->getBodyIter(theReqOid);
 		theBodyIter->start(&theConn->theWrBuf);


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.web-polygraph.org/pipermail/users/attachments/20110922/d3f9830b/attachment.html>


More information about the Users mailing list