Establishment of SSL over HTTP CONNECT tunnel (sometimes) fails with {error,{tls_alert,"record overflow"}} #536
Comments
|
can you test the patch above? |
|
I had something like this in mind: master...cirka:fix_536 |
|
which kind of proxy are we talking abou? Please not that generally speaking a proxy should send the response during the first packet. Is there a way I can reproduce it myself? |
|
HTTP proxy type. Hmm, it's a bit difficult because I can't send a tcp dump. |
|
Is this a known proxy server? |
|
If you ask what kind of proxy server, so it's Apache. If you ask is it a public or a private, so it's a private, behind VPN. Edit: I will specify Apache version soon. |
|
If can you share some bits of the apache configuration you're using, I will test it :) |
|
Apache/2.2.12. What exactly options from configuration do you need? |
|
@bartima3us the settings of mod_proxy you are using. It should be enough to reproduce it. |
|
@cirka congrats! Problem solved. Make a PR. :) |
|
@bartima3us what error did you have with #537 though? A proxy must send 1 line and no other headers which should be handled by my patch. Can you send a trace? |
|
The proxy responds with 200 and additional header: No further limitations are defined, and the server is free to add version header field. |
|
ok. I would prefer to have a version using |
A friend of mine has a really interesting case of hackney unable to reliably establish ssl session over HTTP proxy. I have an access to packet traces on the wire which unfortunately is something I can not freely share, but the traces let us to narrow down the difference between cases when connection establishment is successful and when it is not. In case whole HTTP response to CONNECT request returned by the proxy was contained in a single TCP segment the ssl connection was established successfully and if HTTP response was split in 2 TCP segments the ssl_connect/2 was returning terminal {error,{tls_alert,"record overflow"}}. The error usually means a garbage was read by ssl_connect from the socket.
We spend some time investigating how hackney check if a tunnel has been successfully established and the criteria defined by RFCs .. from https://tools.ietf.org/html/rfc7231#section-4.3.6 - Any 2xx (Successful) response indicates that the sender (and all inbound proxies) will switch to tunnel mode immediately after the blank line that concludes the successful response's header section; The hackney https://github.com/benoitc/hackney/blob/master/src/hackney_http_connect.erl has a function check_response(Socket) which basically waits for any size segment to arrive to the socket and then uses function check_status/1 to pattern match the response code and protocol version supported and discards the rest of what was read from the socket. The way hackney checks the response is prone to break in real life scenarios because single read from the socket does not guarantee to have complete HTTP response (including new line) and may leave the rest of HTTP response on the socket buffer ( because it was not read in one gen_tcp:recv or i just came later in time). The ssl_connect then gets called to upgrade session to TLS: it sends client hello and tries to read server hello records but gets to read the rest of HTTP response still lingering in the socket buffer instead and errors out.
I am not committed to providing a patch yet as it directly does not hurt me yet ;-) but a complete implementation of HTTP response parsing would be appreciated from anyone who stepped on this bug.
The text was updated successfully, but these errors were encountered: