Basic client support for SOCKS version 5 (no authentication) #94
Conversation
|
@dmap My first impression is very positive. Changes look concise and non-intrusive. I have one conceptual question though. Was there any particular reason for putting |
No, no particular reason. I am not that familiar with the codebase (which is pretty large) and this was the simplest way I found to implement the feature. I am happy for it to be done another way. What I will say is that the SOCKS protocol negotiation is VERY low level. It has to happen on the wire before anything else... before TLS negotiation, before HTTP connects etc. I found it difficult to navigate my way through the source code well enough to achieve this any other way besides using the It is theoretically possible to want to establish an SSL connection to SOCKS proxy, then do the SOCKS negotiation, but in practice virtually no SOCKS proxy servers support this. That could be a feature for another day... It could mean negotiating SSL with the SOCKS proxy and then again (over the same connection) to the target server (tunnelled through the SOCKS proxy). What fun that would be. In practice it is unnecessary because if you are negotiating SSL with the target server all the traffic is secured end-to-end anyway, the SOCKS proxy just tunnels it through unchanged. |
I understand the codebase is large and mostly undocumented. I will not insist but it would be nice to factor the SOCKS protocol logic out into a |
|
Hi @dmap |
I attempted this approach. It worked fine for plain connections but for SSL connections the SSL handling triggered in the |
Will do. I still have to also add the SOCKS protocol username/password support. The PR isn't finished yet, I just raised it to get some initial feedback. |
@dmap I would prefer to refactor |
|
@ok2c I have spent several hours looking at refactoring I'm not trying to be difficult but after spending some time on it I honestly feel the |
|
@dmap Do you mind also committing your implementation |
@ok2c Updated the IOEventHandler impl to also support username/password auth and pushed as you requested. The immediate problem is the completion of the |
|
@ok2c @garydgregory So I have just pushed a set of tests for the new code. These are reasonably extensive in that they simply inherit from the existing integration tests but using a SOCKS proxy... and yes that means I wrote a simple SOCKS proxy server for the test framework. It means we get all the current integration tests for Http1 and Http2 run again, but through a SOCKS proxy. These tests all pass perfectly using the I feel my work here is essentially done. I would love to see this merged into the codebase, but that ball is in your court now. I can quite happily drive my own testing from my own fork. |
I am quite certain this should be fixable. HttpClient 5.0, for instance, is capable of upgrading tunneled connection to SSL/TLS after a |
I'll get your code committed. You have my word on that. I would like to cut a BETA release soon, though, and would not want to publish |
|
@dmap David, I think I have resolved the problem with TLS upgrade with 5e88e51. I moved TLS upgrade logic from |
|
@dmap Another minor thing. Could you please remove |
|
@ok2c ok I will have another look. It might take me a few days but I will get to it. My household has been hit by a terrible stomach flu, we have several very unwell people here at the moment... |
|
@dmap Please take care of your family. This can wait. |
This change adds low-level support for TLS handshake timeouts in the class that actually performs the handshake. The contractual `socketTimeout`, if set, will only be applied to the underlying IOSession after the handshake is complete.
dmap
force-pushed
the
feature/HTTPCORE-563
branch
from
7dd3ad9 to
cb70ad4
Compare
Previously it was possible to accidentally read past the end of the SOCKS negotiation
dmap
force-pushed
the
feature/HTTPCORE-563
branch
from
cb70ad4 to
f0fa866
Compare
|
@ok2c So this is now working... but I'm not totally happy with it. There are a couple of strange interactions required between the SocksProxyProtocolHandler and the InternalDataChannel to have things work.
|
|
I see my tests fail with Java 11. I will investigate. |
|
Hah, so the failing tests were caused by the haphazard management of the interest ops. The |
|
@dmap I was able to get rid of See my latest changes here |
|
@dmap It all makes sense. Please take one last glance at the final change-set here and I'll commit it as soon as I get a nod from you |
|
@ok2c I'm happy with that. Thanks for the help. The changes in This is an example of what I referred to as the Because of this awkward management of the interest ops an IOEventHandler can receive an inputReady() or (in particular) an outputReady() callback when it is not expecting it. I had to add additional code to my SOCKS handler to avoid an infinite loop when I got an outputReady() (because of the enqueueCommand done by another thread) when the SOCKS handler was actually wanting input, not output. Anyway, that is all probably best done as a different change. It wouldn't be hard to clean up, but it isn't strictly speaking required for this PR. |
|
@ok2c So, to be clear, I am happy for this to be committed. |
|
Committed as 42d992f. Please review and close. |
|
Great |
4 participants
Issue: https://issues.apache.org/jira/browse/HTTPCORE-563