[HTTPCORE-676] TLS renegotiation seems to not be handled properly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 5.1
Fix Version/s: 5.0.4, 5.1.1, 5.2-alpha1
Component/s: HttpCore NIO
Labels:
None

Description

Hi there,

I noticed that TLS renegotiation seems to not be handled by HTTP-Core (I stumbled across this while using the Async HTTP-Client with HTTP1.1).

Trying to perform an HTTP-Request to a server that requires to renegotiate the TLS connection by sending a TLS Hello Request causes the request to hang (I guess until a server or a client timeout kicks in) and then fail with a generic error (e.g. "execution failed: Connection is closed").

I was able to reproduce the issue using httpd and a Location entry inside a virtual host that requests a client certificate (as in mTLS).

The following minimal Apache-Configuration can be used to reproduce the problem (note that - for the sake of painless testing - the client cert is optional so the client does not have to present a certificate for performing the request successfully):

Listen 8445
SSLProtocol -all +TLSv1.2
<VirtualHost *:8445>
    ServerName some.host.de
    SSLEngine on
    
    SSLCertificateFile "path_to_some_cert.crt"
    SSLCertificateKeyFile "path_to_some_key.key"
    
    ProxyPass /                     http://some.target/
    
    <Location /the_resource_with_optional_client_cert>
        SSLVerifyClient optional_no_ca
    </Location>
</VirtualHost>

With HTTP-Client 5 a call to https://localhost:8445/the_resource_with_optional_client_cert will not succeed
The java.net.http.HttpClient, popular Browsers and Postman had no problem with performing the request
- (at first I was not sure if that's an rather exotic thing that no one understands anyway)

Some logs

I Attached two excerpts of logs with javax.net.debug=all and DEBUG-output for HC5:

apache_hc5_tls_log_excerpt.log the log-output produced by HC5
java_httpclient_tls_log_excerpt.log the log-output produced by java.net.http.HttpClient

The interesting part in apache_hc5_tls_log_excerpt.log starts at 10:59:39.454 where HC then waits 20 seconds until it consumes the HelloRequest.
The comparable part in java_httpclient_tls_log_excerpt.log starts at 11:37:30.017.

Tests

I looked into adjusting the configuration at https://github.com/apache/httpcomponents-core/tree/master/httpcore5-testing/docker/apache-httpd, but I had some trouble understanding where the exposed ports for the image are configured in the configuration (and where to configure/expose the new https port). In the HTTP-Client project it is more clear as there are the EXPOSE-entries in the dockerfile.

Another thing I asked myself is: Where to best place a test?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

apache_hc5_tls_log_excerpt.log
27/Apr/21 21:17
31 kB
synth3
java_httpclient_tls_log_excerpt.log
27/Apr/21 21:17
44 kB
synth3

Activity

People

Assignee:: Unassigned

Reporter:: synth3

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Apr/21 21:18

Updated:: 01/May/21 14:04

Resolved:: 01/May/21 14:04