Bug 59134 - Secure websocket connection through a proxy is not ok
Summary: Secure websocket connection through a proxy is not ok
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: WebSocket (show other bugs)
Version: 8.0.x-trunk
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-07 08:29 UTC by zraetn
Modified: 2016-03-07 19:46 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description zraetn 2016-03-07 08:29:21 UTC
I have been trying to open a wss connection through a http proxy, and I always got the following exception:
  ...
  Caused by: javax.websocket.DeploymentException: The HTTP request to initiate the WebSocket connection failed
  ...
  Caused by: java.io.EOFException: null
  ...

Looking at network traffic shows that the proxy connect request is sent, proxy connection is established and then a plain GET request is sent instead of the SSL handshake.

Debugging in the WsWebSocketContainer::connectToServer() shows that there is a secure flag, to indicate whether an SSL connection is needed, but it never gets true when the connection is through a proxy.


http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java

public Session connectToServer(Endpoint endpoint,
            ClientEndpointConfig clientEndpointConfiguration, URI path)
            throws DeploymentException
        ...
        boolean secure = false

        ...

        if (sa == null) {
            if (port == -1) {
                if ("ws".equalsIgnoreCase(scheme)) {
                    sa = new InetSocketAddress(host, 80);
                } else {
                    // Must be wss due to scheme validation above
                    sa = new InetSocketAddress(host, 443);
                    secure = true;
                }
            } else {
                if ("wss".equalsIgnoreCase(scheme)) {
                    secure = true;
                }
                sa = new InetSocketAddress(host, port);
            }
        } else {
            proxyConnect = createProxyRequest(host, port);
        }

        ...
Comment 1 Christopher Schultz 2016-03-07 17:02:27 UTC
Sounds like your (reverse?) proxy is switching from HTTPS top HTTP internally. Bugzilla is not a support forum. Please post a message to the users list with questions, and only reopen this issue if there is a bug discovered in Tomcat.
Comment 2 Mark Thomas 2016-03-07 17:15:05 UTC
The original report looks valid. secure is never set when using a proxy
Comment 3 Mark Thomas 2016-03-07 19:46:01 UTC
Thanks for the report. This has been fixed in 9.0.x for 9.0.0.M4 onwards, 8.0.x for 8.0.33 onwards and 7.0.x for 7.0.69 onwards.