Closed Bug 16103 Opened 25 years ago Closed 25 years ago

SOCKS V5 Implementation

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Platform:
All
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: b.benowitz, Assigned: ruslan)

References

(
URL
)

Details

(Whiteboard: [nsbeta2-])

Attachments

(5 files)

Error messages in apprunner window
361 bytes, text/plain
Details
SOCKS support for HTTP and FTP, with UI configuration
17.16 KB, application/octet-stream
Details
patch to make ssl work over socks -- this has some replacement patches/files for the previous patch
8.96 KB, application/octet-stream
Details
A new and improved version of the socks patch.
78.54 KB, patch
Details | Diff | Splinter Review
the one new file to add to the tree for socks
10.00 KB, text/plain
Details
Unable to load pages behind SOCKS Server. No meaningful messages displayed.
Assignee: gagan → rpotts
Target Milestone: M15
Socks support isn't in yet. Marking for later and assigning to rick.
Bulk move of all Networking-Core (to be deleted component) bugs to new Networking component.
-> marketing
Assignee: rpotts → warren
> -> marketing I'm not in any great hurry to appear foolish, but what do you mean by that?
Netscape doesn't intend to implement socks for this product, although we welcome a submission to mozilla.org.
Assignee: warren → nobody
Keywords: helpwanted
Target Milestone: M15 → M30
I hated to see Socks Proxy Server support pushed off. I wanted to stick in some information incase anyone was looking later..... Main Socks page http://www.socks.nec.com/ If you want socks support in Mozilla and you are on Windows one can use this: http://www.socks.nec.com/socks5.html SOCKS v5 is an IETF standard (RFC 1928)
Blocks: 35843
I'll implement SOCKS support. See my post in netscape.public.mozilla.netlib for details.
Just be sure to do it so that it works both with and without PSM, that is so that both http and https URLs work with it.
I have a working NSPR IO layer implementing SOCKS proxying. Once I've cleaned it up, I'll submit it and start working on the transports and protocols so that they will make use of it. Since it's an NSPR IO layer, it should work fine with the SSL layer, but it will require some minor changes to nsSocketTransport. I can test SSL and SOCKS layers together before the protocol changes, however, to make sure everything is interacting correctly.
The above patch should bring mozilla up to netscape 4.x's socks support, except for SSL over SOCKS. It should work, but it's not for me. I'll continue working on it, and adding SOCKS support to the other protocols.
Ok. Justin Bradford <justinb@gene.com> has implemented SOCKS support. To get it in we'll need to move the tag on NSPR to get the latest changes for non-blocking connect and make a few API changes. Otherwise it's working great. Changes are not drastic, but still fair in size. Nominating for nsbeta2, chaning the target milestone and awaiting the decision from PDT.
Assignee: nobody → ruslan
Keywords: helpwantednsbeta2
Hardware: PC → All
Target Milestone: M30 → M17
Status: NEW → ASSIGNED
Whiteboard: [nsbeta2-]
[nsbeta2-] not required for seamonkey beta2 but you can always check in mozilla community contributions with approval from brendan or waterson. cc'ing Wan-Teh for comments about needing a new rev of NSPR
The current implementation of SOCKS support does blocking connect and hence does not need a new rev of NSPR.
Brendan? Can we check this in?
Ruslan committed all (but one) of the new files, so the new patch is against that. The second attachment is actually a tar file with the one remaining file: extensions/psm-glue/src/MANIFEST The mac build files have not yet been updated, but I'll do that once I get approval to commit this patch.
No longer blocks: 35843
Justin, looks great -- a=brendan@mozilla.org if you attend to these nits: - Can't tell due to diff -wu, but I hope all tabs have been expanded, and indentation looks uniform and even and stuff. - Does CMT_ProxyStepUp need to modify its final argument, which is a copy created using nsCAutoString by nsPSMSocketInfo::ProxyStepUp? I couldn't tell from reading http://lxr.mozilla.org/mozilla/source/security/psm/lib/client/cmtssl.c#414 Maybe the final paramter to CMT_ProxyStepUp should be const char*? I'm also wondering why mHostName is an nsString, instead of an nsCString, but that's not your doing. Might be worth filing a bug. Should CMT_ProxyStepUp error return values propagate back via bad nsresults through securityInfo->ProxyStepUp() to its caller? - Is it really necessary to hold onto the PSM service via gPSMService? I see only one use of that variable, in nsSSLIOLayerConnect (whose name follows the class naming convention, not the static PR_CALLBACK naming convention [such as there is]). If you're using this service only at connect-time, why not use NS_WITH_SERVICE to make a local, auto-pointer-held reference? It's bad to hold onto services forever, especially in embedding cases where things may need to unload and return all memory to the app. - else after return in nsFtpConnectionThread::CreateTransport -- a non-sequitur that's not repeated at the bottom of that method, where there's a nice final return that several cases "fall into" without unnecessary else's. - Argh, nsIHTTPChannel.idl uses InterCaps, not interCaps, in attribute names -- what's up with that? The xpidl compiler will capitalize an attribute name before prepending Get or Set in the C++ binding, and the JS binding wants interCaps (JS and Java style, and Mozilla XPIDL house style for that matter). /be
I should have written a=brendan@mozilla.org, check in bug please attend to these nits either first, or in a quick followup checkin. /be
1. I've checked tabs and indentation and everything looks fine. 2. That non-const argument is passed down into the PSM code and used in the message encoder. I just looked over the code and it would appear that making it const would not affect anything. However, I didn't write any of the involved code (I'm simply calling an existing function) and I've never looked beyond CMT_ProxyStepUp prior to 10 minutes ago. A practically identical path is taken by the normal SSL connection call, which also has non-const arguments... 2b. I return from PSMSocketInfo::ProxyStepUp the return code from CMT_ProxyStepUp, so the error should already be propagated to the SocketTransport, which is its caller. 3. Usage/storage of PSM service by SSL layer: The PSM service basically represents a daemon, and I suspect multiple services imply multiple daemons. So, while, I agree that it shouldn't be a static sitting around there, I'm not sure what effect it would have on the behavior (possibly causing start-psm to load/unload frequently when accessing a site via SSL; possibly spawning many psm daemons; etc). I believe the case is now, when SSL is used, psm runs and doesn't quit until the browser does. That's not good, but I don't know how to fix it right now. I should also point out that I haven't written or even touched most of the parts you're referring to here. My changes to the SSL stuff were very basic. The AddToSocket which does exactly the same thing as NewSocket (excepting the allocation of a socket) and enabling the existing SSL proxy mechanisms. I can't address #2 or #3 without studying the PSM module more, and I think they're unrelated to this patch (as they're existing issues). I'll file bugs for both address them later. 4. I've removed the unnecessary else from the FTP's CreateTransport 5. I've changed all of the attributes in nsIHTTPChannel.idl to interCaps style, including the one attribute I am adding. Should I go ahead with the commit?
Sorry - was on vacation. Is it not landed yet?
I committed the code last night. Is anyone having trouble on non-Linux platforms?
I've tested a Win32 nightly build with my SOCKS code. It appears to be working fine, except for SSL connections (which work fine on Linux). Can anyone else confirm this?
I guess this is done, right Justin?
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
As the originator of this problem, I had a chance to test the 7/6/2000 Nightly build on Linux and I still find 2 problems: 1) When you originally set the SOCKS HOST name and port in preferences and then click OK, the main window starts loading fine. But the tinderbox window continues to say Loading... for ever. Performance suffers as well. If you exit Mozilla and restart, everything is fine. 2) Secure Pages don't seem to load. However, I'm not sure that those fixes were committed, yet.
I haven't experienced your first problem, but I'll try to replicate it. As for the SSL problems, the code was committed, and it does work on Linux. I'm not gotten it to work on win32, but I'm not sure if I have the PSM module installed/configured. I'll look into this more.
It doesn't seem to work at all here. After setting the socks host and port to the same values which IE uses successfully, mozilla is unable to load any site. For example, if I try to load mozilla's homepage the taskbar will show "Resolving host www.mozilla.org", but it never gets any further. The OS is NT4, SP6.
What version of SOCKS does your firewall support? Mozilla only supports version 5 right now.
That would explain it... I'm pretty sure that ours is only SOCKS4. I'll try to verify this, just to be sure. Thanx!
I created a patch that adds Socks4 support to Justin's Socks5 layer. It detects the server protocol version by trying Socks4 first, then Socks5. This test is rather expensive if the server is Socks5 (extra TCP connection setup/close). This raises some issues... should a cache of Socks server versions be maintained? It would be relatively simple to cache only the most recent server, but a proxy autoconfig script could return different Socks servers for different destination addresses during the same session, so this might not be ideal. But it might be adequate. A full-blown cache would be more work, but doable. Perhaps there is already some infrastructure for this sort of thing? Or would it be better to expose this in the configuration UI? Any suggestions?
Might want to make this a separate bug. There should be selector UI that supports this, but even more so, we might want to just completely re-do the UI. The old UI doesn't work well for SOCKS in general because there is a lack of clarity for order of precedence. My feeling is that we should just EOL SOCKS V4. It's not specified in an RFC, and there doesn't seem to be much in the way of handshaking or backwards compatability. A -quick- look at the SOCKS V5 RFC seems to show that the client initiates the call for a version... http://www.faqs.org/rfcs/rfc1928.html The VER field is set to X'05' for this version of the protocol. The NMETHODS field contains the number of method identifier octets that appear in the METHODS field.
I've re-read the RFC's and NEC's specs. My reading is that there is no effective handshake for versions. My gut says we should add a "SOCKS V4" and SOCKS V5" selector in manual prefs. If you don't, then your version failover (which isn't a real handshake) might fill up a SOCKS server with error messages.
VERIFYING BUG: Used a packet trace... http://www.packetgram.com/pktg/proxy/socksclientversion.html General information on how when SOCKS is used for connections http://www.packetgram.com/pktg/docs/nscp/ns6/ns6proxy.html#socks clarified Summary for accuracy. put a URL into URL field. keyed for release note Want any of the following? A fix for the prefs (say "SOCKS V5", not "SOCKS"), see bug 50679 create a new bug. SSL and SOCKS (either combination) SOCKS V4 SOCKS server version handshaking
URL: SOCKS support in M10http://www.socks.nec.com/
Status: RESOLVED → VERIFIED
Keywords: relnote
Summary: Can't browse behind a SOCKS firewall → SOCKS V5 Implementation
-relnote - other SOCKS bugs are tagged w/ relnote keyword.
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: