Closed Bug 572570 Opened 14 years ago Closed 14 years ago

Allow ssltunnel to detect WebSocket traffic via header inspection

Categories

(Testing :: Mochitest, defect)

Product:
Testing
Component:
Mochitest
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jgriffin, Assigned: jgriffin)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

ssltunnel patch
24.73 KB, patch
ted
: review+
Details | Diff | Splinter Review 
In bug 570789 I'm landing some changes to ssltunnel to allow it to act as an HTTP proxy for WebSocket traffic.  This implementation listens for WebSocket traffic on a dedicated port.  However, ted pointed out it would be nice to let it listen on the same port as it uses for other traffic, and switch to WebSocket mode if it detects that the WebSocket protocol is being used.

In order to accomplish this, we'll have to delay the connection to the remote server until a full set of headers is received after the initial HTTP CONNECT.  This will require some minor surgery to ssltunnel and we'll have to be careful we don't break any existing SSL use cases.
Attached patch ssltunnel patchSplinter Review 
This patch modifies ssltunnel to be able to dynamically detect SSL vs non-SSL connections, and WebSocket vs non-WebSocket traffic, and handle them appropriately.  This allows us to avoid having to open separate listen ports for different kinds of traffic...we can just use one port for everything.

Will flag for review after tryserver run finishes successfully.
Comment on attachment 452311 [details] [diff] [review]
ssltunnel patch

passes tryserver
Attachment #452311 - Flags: review?(ted.mielczarek)
Blocks: 573803
Comment on attachment 452311 [details] [diff] [review]
ssltunnel patch

>             // We have to accept and handle the initial CONNECT request here
>             PRInt32 response;
>             if (!connect_accepted && ReadConnectRequest(ci->server_info, buffers[s],
>                 &response, certificateToUse, &clientAuth, fullHost))
>             {
>+              // Mark this as a proxy-only connection (no SSL) if the CONNECT
>+              // request didn't come for port 443 or from any of the server's
>+              // cert or clientauth hostnames.
>+              if (fullHost.find(":443") == string::npos)
>+              {
>+                server_match_t match;
>+                match.fullHost = fullHost;
>+                match.matched = false;
>+                PL_HashTableEnumerateEntries(ci->server_info->host_cert_table, 
>+                                             match_hostname, 
>+                                             &match);
>+                PL_HashTableEnumerateEntries(ci->server_info->host_clientauth_table, 
>+                                             match_hostname, 
>+                                             &match);
>+                ci->http_proxy_only = !match.matched;
>+              }
>+              else
>+                ci->http_proxy_only = false;

Brace the else condition to match the if, please.


>@@ -1158,20 +1197,20 @@ int main(int argc, char** argv)
>       "       # than the previous option.\n"
>       "       listen:my.host.name:443:4443:a different cert\n\n"
>       "       # To make a specific host require or just request a client certificate\n"
>       "       # to authenticate use the following options. This can only be used\n"
>       "       # in httpproxy mode and only after the 'listen' option has been\n"
>       "       # specified. You also have to specify the tunnel listen port.\n"
>       "       clientauth:requesting-client-cert.host.com:443:4443:request\n"
>       "       clientauth:requiring-client-cert.host.com:443:4443:require\n"
>-      "       # Act as a simple proxy for incoming connections on port 7777,\n"
>-      "       # tunneling them to the server at 127.0.0.1:9999. Not affected\n"
>-      "       # by the 'forward' option.\n"
>-      "       proxy:7777:127.0.0.1:9999\n",
>+      "       # Tells ssltunnel to proxy WebSocket traffic to the server\n"
>+      "       # at 127.0.0.1:9999, instead of the server specified in the\n"
>+      "       # 'forward' option.\n"
>+      "       websocketserver:127.0.0.1:9999\n",

Can you fix the phrasing of this comment to match the previous ones?

Otherwise this looks nice (as nice as ssltunnel code can look).
Attachment #452311 - Flags: review?(ted.mielczarek) → review+
http://hg.mozilla.org/mozilla-central/rev/90ade0c197ed
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
backed out due to oranges on linux m0 tests...will investigate
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Pushed fixed version as http://hg.mozilla.org/mozilla-central/rev/d1183b4f57b1.  The problem in comment #5 was caused by polling on an unused socket, which works OK on mac and win, but returns POLLHUP on linux.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Patch for this bug breaks functionality of ssltunnel when not used in HTTP proxy mode.
Blocks: 466524
Blocks: 761529
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: