Skip Menu |
 

This queue is for tickets about the Crypt-SSLeay CPAN distribution.

Report information
The Basics
Id: 59312
Status: resolved
Priority: 0/
Queue: Crypt-SSLeay

People
Owner: nanis [...] runu.moc.invalid
Requestors: robert.arthur [...] datacash.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Bug in proxied CONNECT retry code
Date: Tue, 13 Jul 2010 10:16:50 +0100
To: <bug-Crypt-SSLeay [...] rt.cpan.org>
From: "Robert Arthur" <robert.arthur [...] datacash.com>
Download (untitled) / with headers
text/plain 2.3k
Hi, Running debian (lenny) 0.57-1 with LWP 5.813-1 Occasionally seeing proxied https requests (using $ENV{HTTPS_PROXY} set to localhost:3130) getting 403 FORBIDDEN errors. Checking Apache mod-proxy access log shows that while most requests are "CONNECT 127.0.0.1:443", the 403s are showing as "CONNECT localhost:3130". Grabbing a stack-trace within Net::SSL::proxy_connect_helper() shows that the failing requests are indeed asking for a CONNECT on port 3130, and that this is happening when within a second connect attempt initiated within Net::SSL:: connect (), inside the "if (not defined $rv or $rv <= 0) {" block. I'm not entirely sure why the initial connection is intermittently failing, but it looks to me like when this happens we're overwriting the peer address/port with the proxy address/port. I think the error is the following line: my %args = (%$new_arg, %$arg); Adding some debug code, when a troublesome request occurs, %$new_arg contains the correct peer address/port, while %$arg has the proxy values for these keys, so overwrites these. Calling "my $new_ssl = Net::SSL->new(%args);" with these args causes us to issue the inner "CONNECT" request with the proxy address rather than the endpoint address. Happy to provide further details if it would help. Cheers, Bob. -- Robert Arthur Senior Software Engineer DataCash Tel (direct): +44 (0)131 538 8419 DataCash Ltd, Suite 3/1 Great Michael House, 14 Links Place, Edinburgh, EH6 7EZ, United Kingdom. Tel: +44 (0)870 7274 762 Fax: +44 (0)870 7274 782 www.datacash.com <http://www.datacash.com/> DISCLAIMER: This email and any files transmitted with it are confidential to DataCash Group plc and its group companies. It is intended only for the person to whom it is addressed. If you have received this email in error, please forward it to info@datacash.com <mailto:info@datacash.com> with the subject line "Received in Error". If you are not the intended recipient you must not use, disclose, copy, print, distribute or rely on this email or any transmitted files. DataCash Ltd is registered in England and Wales no. 3430157. DataCash Ltd is part of the DataCash Group plc. DataCash Group plc is registered in England and Wales no. 3168091. DataCash Ltd and DataCash Group plc registered address is Descartes House, 8 Gate Street, London, WC2A 3HP, United Kingdom. Save a tree...Please only print this page if essential
Download (untitled) / with headers
text/html 10.8k
From: joe.faber [...] corp.aol.com
Download (untitled) / with headers
text/plain 441b
I'm also seeing this issue. It seems, based on some quick testing, that reversing the order of the two hash pointers in the offending line of code corrects the problem. That is, change this: my %args = (%$new_arg, %$arg); to this: my %args = (%$arg, %$new_arg); This causes the original PeerAddr and PeerPort values in new_arg to be used for the reconnect instead of the ones in arg that had been modified by the proxy logic. -joe
Download (untitled) / with headers
text/plain 758b
Hello: This should be fixed in 0.57_04 available at: http://search.cpan.org/~nanis/Crypt-SSLeay-0.57_04/ I am closing this ticket. I would appreciate it if you could test with 0.57_04 and re-open if you encounter any problems. -- Sinan On Thu Jul 22 12:28:26 2010, jlfaber wrote: Show quoted text
> I'm also seeing this issue. It seems, based on some quick testing, that > reversing the order of the two hash pointers in the offending line of > code corrects the problem. That is, change this: > > my %args = (%$new_arg, %$arg); > > to this: > > my %args = (%$arg, %$new_arg); > > This causes the original PeerAddr and PeerPort values in new_arg to be > used for the reconnect instead of the ones in arg that had been modified > by the proxy logic. > > -joe


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.