Java CONNECT tunnel misbehavior

From: Pawel Worach <pawel.worach@dont-contact.us>
Date: Sat, 22 Dec 2007 00:50:22 +0100

Hi,

The problem described in bug #2154 is quite interesting.
We have a java applet that uses a home made RMI protocol wrapped over
HTTP (sorta like SOAP), it talks with a server using HTTP POST requests
to a SSL webserver. Now if the user is behind a proxy the applet first
downloads some components from the server using a SSL tunnel with GET
requests then it does some RMI requests using the tunnel connection it
made for the component download, now if that connection is closed (due
to timeout) and the user triggers a function in the applet that needs to
do a RMI requets a new CONNECT request is sent. This request is a HTTP
POST and needs a new CONNECT tunnel so the java runtime sends a CONNECT
request to the proxy with all the headers from the original POST request
to the proxy, this is quite broken since it includes session cookies and
other potential secret stuff which is sent in clear text, this also
includes a Content-Length header for the POST body which is not
applicable for the CONNECT request.

This took a while to find since squid logged the request as MISS/200, no
sign of the 413 response.

Anyone knows how to report java bugs to Sun ? :)

Regards

-- 
Pawel
Received on Fri Dec 21 2007 - 16:50:34 MST

This archive was generated by hypermail pre-2.1.9 : Mon Dec 31 2007 - 12:00:03 MST