Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SocketsHttpHandler should throw instead of returning proxy response message when proxy tunnel creation fails #48679

Closed
geoffkizer opened this issue Feb 24, 2021 · 3 comments · Fixed by #50763
Closed

SocketsHttpHandler should throw instead of returning proxy response message when proxy tunnel creation fails #48679

geoffkizer opened this issue Feb 24, 2021 · 3 comments · Fixed by #50763
Labels
area-System.Net.Http needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet
Milestone
6.0.0

Comments

@geoffkizer
Copy link
Contributor

Description

For secure HTTP connections, we attempt to create a proxy tunnel using the CONNECT method against the proxy endpoint. This allows us to create an end-to-end secure SSL connection between client and destination server.

If the proxy CONNECT request fails, (i.e. returns a status other than 200), we return the proxy's response to the user. However, this means the user can't distinguish whether the response came from the proxy or the destination server. This is problematic because the user is using SSL and thus reasonably expects that any response has been securely delivered via the end-to-end secure connection.

I think we should change this behavior, and instead throw an HttpRequestException when a proxy tunnel CONNECT request fails. Something like "The proxy tunnel request to proxy {proxyUri} failed with status code {statusCode}."

Note that for non-secure requests, we always return the proxy response and the user can't tell whether the response came from the destination server unmodified, or was modified by the proxy, or was simply generated by the proxy without even contacting the destination server. This is intentional; for non-secure requests, proxies are explicitly allowed to do whatever they want to a request, including modifying it, blocking it entirely, etc.
@geoffkizer geoffkizer added this to the 6.0.0 milestone Feb 24, 2021
@ghost
Copy link

ghost commented Feb 24, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

For secure HTTP connections, we attempt to create a proxy tunnel using the CONNECT method against the proxy endpoint. This allows us to create an end-to-end secure SSL connection between client and destination server.

If the proxy CONNECT request fails, (i.e. returns a status other than 200), we return the proxy's response to the user. However, this means the user can't distinguish whether the response came from the proxy or the destination server. This is problematic because the user is using SSL and thus reasonably expects that any response has been securely delivered via the end-to-end secure connection.

I think we should change this behavior, and instead throw an HttpRequestException when a proxy tunnel CONNECT request fails. Something like "The proxy tunnel request to proxy {proxyUri} failed with status code {statusCode}."

Note that for non-secure requests, we always return the proxy response and the user can't tell whether the response came from the destination server unmodified, or was modified by the proxy, or was simply generated by the proxy without even contacting the destination server. This is intentional; for non-secure requests, proxies are explicitly allowed to do whatever they want to a request, including modifying it, blocking it entirely, etc.

Author: geoffkizer
Assignees: -
Labels:

area-System.Net.Http
Milestone: 6.0.0

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Feb 24, 2021
@geoffkizer geoffkizer changed the title SocketsHttpHandler should not return proxy response message when proxy tunnel creation fails SocketsHttpHandler should throw instead of returning proxy response message when proxy tunnel creation fails Feb 24, 2021
@wfurt
Copy link
Member

wfurt commented Feb 24, 2021

make sense to me. basically treat CONNECT failures as form of connect() failure. How about authentication failures? They should have distinct status code, right?

@geoffkizer
Copy link
Contributor Author

Yeah, an auth failure will show up as a 407 status code.

@ManickaP ManickaP removed the untriaged New issue has not been triaged by the area owner label Mar 4, 2021
@geoffkizer geoffkizer mentioned this issue Apr 6, 2021
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Apr 6, 2021
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Apr 6, 2021
@ghost ghost locked as resolved and limited conversation to collaborators May 6, 2021
@danmoseley danmoseley added the needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet label Feb 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net.Http needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet
Projects
None yet
Milestone
6.0.0
Development

Successfully merging a pull request may close this issue.

make EstablishProxyTunnelAsync throw on failure status code from proxy geoffkizer/runtime
4 participants
@danmoseley @ManickaP @geoffkizer @wfurt