How to handle HTTP CONNECT tunnel on client side? - sockets

I am adding support for HTTP CONNECT request to a client and I can't seem to handle the tunnel properly.
I am able to send a CONNECT request to the proxy which response with a status code of 200. This RFC tell me that the tunnel has been formed with the end server.
How do I use this tunnel from a socket perspective?
On the client side, the socket I opened receives the 200 response from proxy initially. After checking the response should I just send more data into that socket?
I tried this approach and the client just hangs. The data doesn't seem to reach the final server. How to use this socket to do normal HTTP(S) after the tunnel is created?

After checking the response should I just send more data into that socket?
Yes. If you are speaking HTTPS you now start a TLS handshake and then send a properly formed HTTP request and read the response, both via TLS.
I tried this approach and the client just hangs. The data doesn't seem to reach the final server.
So either your handshake was wrong or your HTTP was malformed.

Related

Can my Web Server Issue a Client Rest Request to another REST Server

I have a web server that handles configuration set-up for various IO devices. I need to get some data from a REST server that is running on a different server. Can that web server code issue a client REST GET command to a REST server running on a different server? I tried it but I get a http 500 error. The server code is failing on the REST server request code.
I am closing out this question. Yes, your server can issue http requests to other services. I was having another problem with a self-signed certificate and the error made it look like their was a problem with my http request service.

Why do we need the HTTP CONNECT Tunnel in Fiddler?

I saw many Tunnel to host:443 in Fiddler traffic interception, when I click it I saw below info:
The selected session is a HTTP CONNECT Tunnel. This tunnel enables a client to send raw traffic (e.g. HTTPS-encrypted streams or WebSocket messages) through a HTTP Proxy Server (like Fiddler).
I also searched this -
Fiddler2: Decrypt HTTPS traffic and Tunnel to host:443
But these didn't answer my question, why do we need the HTTP CONNECT Tunnel? Why does a client need to send raw traffic?
See https://textslashplain.com/2015/11/19/understanding-connect-tunnels/
tl;dr: Browsers need to send CONNECT tunnel requests to proxies in order for the proxy to know to what server the traffic should be sent.
The encryption provided by HTTPS prevents the proxy server from seeing the URLs or HOST headers of the requests, and these are how a proxy normally decides where to send the requests. So, for HTTPS traffic, a different approach is needed-- that approach is that the client tells the proxy: "Hey, give me a tunnel to example.com and let me know when it's ready." The proxy does so and tells the client HTTP/200 Connection established. At that point, the proxy becomes a blind byte-shuffler that takes bytes from the client and sends them to the server and returns the bytes the server replied with back to the client.

Socket / Http Request

What is the difference between using socket to connect to a site, and simply making an HTTP request?
Does the connection established by the sockets make it possible not to authenticate during the request?
What is the difference between using socket to connect to a site, and simply making an HTTP request?
The act of using socket to connect to a site is more basic than making an HTTP request — the former is required by the latter, since a HTTP/TCP request cannot be sent without an established connection.
Does the connection established by the sockets make it possible not to authenticate during the request?
HTTP neither implies authentication.

HTTPS with PSK using Bouncy Castle

I have established a secure socket connection using the Bouncy Castle Pre-Shared Key.
I would like to know how to use this socket connection to send my http request securely.
I am using a apache http client for sending my http request.
IN short, I have to use https but with PSK Implementation of Bouncy Castle. It is easy to create a socket connection with PSK BC, but how to redirect http request through it ?
Used the conventional method of routing http message.
Once the TLS PSK socket connection is established, the http request is sent by writing HTTP message to the socket connection in http standard, that involves writing http Request Line first, followed by Request Headers, and a new line followed with the content, if any.
Then, at the server side, read the decrypted Http Request in the reverse direction.
Basically, had to implement the httpClient and httpServer using Socket Connection from basic.

Accessing Proxy over HTTPS doesnt work

created a webserver(http port 80, https:443) and proxy server(http 8080,https:8081)
am seeing issue when I access proxy over https like
https://xyz:8081/
wireshark shows client(fireforx or chrome) is sending certificate data in HTTP packet , I see certificate text .
Any idea what could be wrong ? browser says no data received
If TLS session is already established(https webserver) would another TLS sessions is created if I try to access https proxy ?
I created SSL socket like
ctx_init
put the socket on select and did accept/sslaccept once I get
and then did SSL_Read
NB: Rest all access like http/https to webserver or http to proxy server works fine.
Updates: Issue was client was sending fragmented HTTP request
So for a GET request it was sent by client like this
Packet 1 was GE
Packet 2 was rest T ....\r\n\r\n
So in code I have to collect until until full HTTP packet is received