Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6226610

HTTP tunnel connections send user headers to proxy

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: solaris_10, 1.4.2, 5.0, 5.0u6
    • Fix Version/s: 6
    • Component/s: core-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      beta
    • CPU:
      generic, x86
    • OS:
      solaris, windows_xp

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.5.0"
        Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
        Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows XP [Version 5.1.2600]

        A DESCRIPTION OF THE PROBLEM :
        When making an HTTP(S) request that tunnels through an HTTP proxy (using the CONNECT method) any headers set on the HttpURLConnection are sent to the proxy server as well as to the destination host (through the tunnel). This can cause sensitive data (e.g. Authorization headers) to travel across the network plain-text, even though the program believes it is connecting to the server using HTTPS.

        The problem I am describing is not an issue with base64 encoding the
        username:password pair in the Authorization header. Our code takes care
        of it and properly authenticates with the end server. The problem I am
        seeing is more general.

        The expectation is that when making a connection to an HTTPS URL, both
        the request headers and the request body will be sent to the server
        protected by SSL/TLS encryption as negotiated in the SSL handshake.

        If the connection is made through a proxy server, Java makes a CONNECT
        request to open a channel to the destination server. In this case, any
        request headers set with setRequestProperty are sent to the proxy server
        even though the programmers intent is to send these headers to the final
        destination server. This can result in exposing sensitive information
        unencrypted on the network.

        The behavior can be examined using a packet analyzer and the test code I
        provided with the original bug report. The expectation is that the
        X-Test-Header is only sent to the destination server once the SSL
        handshake has been completed through the tunneled connection established
        by the HTTP CONNECT request.

        Note that in order to see the behavior I describe the destination URL
        must be an HTTPS URL.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Compile and run the included program giving the name and port number of a proxy server as the first two arguments and the url of the destination server as the third argument. Use a packet analyzer to view the packets sent by the program.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        The X-TestHeader should not be sent to the proxy server.
        ACTUAL -
        The X-TestHeader was sent to the proxy server.

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        import java.net.*;
        import java.io.*;

        public class ProxyBad {

          public static void main(String args[]) throws Exception {
            System.setProperty("https.proxyHost", args[0]);
            System.setProperty("https.proxyPort", args[1]);
            URL u = new URL(args[2]);
            URLConnection c = u.openConnection();
            /* I want this header to go to the destination server only, protected
             * by SSL; but it gets sent to the proxy as well in plaintext. */
            c.setRequestProperty("X-TestHeader", "value");
            BufferedReader br = new BufferedReader(new InputStreamReader(c.getInputStream()));
            System.out.println(br.readLine());
          }

        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        If possible, clear the https proxy properties or set the http noproxy property before making the connection so that a proxy will not be used. This, of course, will not work if it is actually necessary to use a proxy server.
        ###@###.### 2005-2-08 13:12:51 GMT

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  chegar Chris Hegarty
                  Reporter:
                  ndcosta Nelson Dcosta (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: