Bug ID: JDK-6206466 Plugin can't make SSL connections through squid proxy with NTLM authentication

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 1.4.2

Priority: P4
Status: Closed
Resolution: Duplicate
OS: windows_xp
CPU: x86

Submitted: 2004-12-09
Updated: 2010-09-29
Resolved: 2007-04-24

FULL PRODUCT VERSION :
java version "1.4.2_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_06-b03)
Java HotSpot(TM) Client VM (build 1.4.2_06-b03, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Squid 2.5 proxy server with NTLM authentication enabled

A DESCRIPTION OF THE PROBLEM :
After moving his intranet site to an https url, our customer could no longer use embedded applets.

When trying to load jars from an https url via squid proxy with NTLM authentication, the plugin has trouble performing the NTLM handshake. Apparently the proxy closes the connection after the second handshake stage (announcing to do so in its http response), so the plugin has to open a new connection for the third stage. However, the request sent over this connection is garbled, missing the initial CONNECT... line.
Comparing the plugin's handshake attempts to the successful ones of the embedding browser (Firefox),  one sees that the latter includes the http header "Proxy-Connection: keep-alive", and the proxy does not close the connection after the second stage. Moreover, when loading jars from a non-ssl site, the plugin also includes this header into its requests and handshake with the proxy succeeds.

Transcript of unsuccessful handshake attempt follows:

==== First Request ====
CONNECT somehost.somedomain.de:443 HTTP/1.1
cookie: JSESSIONID=0ae1041e2ee3df45fee861a540ad9308be93738b6b34
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_05
Host: 192.192.42.43
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

==== First Response ====
HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.5.STABLE5
Mime-Version: 1.0
Date: Fri, 10 Sep 2004 08:44:34 GMT
Content-Type: text/html
Content-Length: 1317
Expires: Fri, 10 Sep 2004 08:44:34 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from squid.mydomain.de
Proxy-Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><!-- Squid error page omitted --></HTML>

==== Second Request ====
CONNECT somehost.somedomain.de:443 HTTP/1.1
cookie: JSESSIONID=0ae1041e2ee3df45fee861a540ad9308be93738b6b34
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_05
Host: 192.192.42.43
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-authorization: NTLM TlRMTVNTUAABAA... // Auth info omitted

==== Second Response ====
HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.5.STABLE5
Mime-Version: 1.0
Date: Fri, 10 Sep 2004 08:44:34 GMT
Content-Type: text/html
Content-Length: 1317
Expires: Fri, 10 Sep 2004 08:44:34 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM TlRMTVNTUAACAA... // Auth info omitted
X-Cache: MISS from squid.mydomain.de
Proxy-Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><!-- Squid error page omitted --></HTML>

==== Third Request (garbled) ====
cookie: JSESSIONID=0ae1041e2ee3df45fee861a540ad9308be93738b6b34
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.4.2_05
Host: 192.192.42.43
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-authorization: NTLM TlRMTVNTUAADAA... // Auth info omitted

==== Third Response ====
HTTP/1.0 400 Bad Request
Server: squid/2.5.STABLE5
Mime-Version: 1.0
Date: Fri, 10 Sep 2004 08:44:34 GMT
Content-Type: text/html
Content-Length: 1584
Expires: Fri, 10 Sep 2004 08:44:34 GMT
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from squid.mydomain.de
Proxy-Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><!-- Squid error page omitted --></HTML>

==============


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set up squid proxy with NTLM authentication
Load applet from an https url

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Applet runs.
ACTUAL -
Loading applet fails.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Browser status line shows "Applet notinited" and the Java Console displays the following stack trace:

java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.0 400 Bad Request"
	at sun.net.www.protocol.http.HttpURLConnection.doTunneling(Unknown Source)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setProxiedClient(Unknown Source)
	at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
	at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
	at sun.plugin.net.protocol.http.HttpUtils.followRedirects(Unknown Source)
	at sun.plugin.cache.CachedJarLoader.isUpToDate(Unknown Source)
	at sun.plugin.cache.CachedJarLoader.loadFromCache(Unknown Source)
	at sun.plugin.cache.CachedJarLoader.load(Unknown Source)
	at sun.plugin.cache.JarCache.get(Unknown Source)
	at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
	at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
	at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
	at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
	at sun.misc.URLClassPath$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.misc.URLClassPath.getLoader(Unknown Source)
	at sun.misc.URLClassPath.getLoader(Unknown Source)
	at sun.misc.URLClassPath.getResource(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at sun.applet.AppletClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.applet.AppletClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.applet.AppletClassLoader.loadCode(Unknown Source)
	at sun.applet.AppletPanel.createApplet(Unknown Source)
	at sun.plugin.AppletViewer.createApplet(Unknown Source)
	at sun.applet.AppletPanel.runLoader(Unknown Source)
	at sun.applet.AppletPanel.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
java.lang.NullPointerException
	at sun.net.www.protocol.http.HttpURLConnection.doTunneling(Unknown Source)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.setProxiedClient(Unknown Source)
	at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.superConnect(Unknown Source)
	at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.https.PluginDelegateHttpsURLConnection.getInputStream(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(Unknown Source)
	at java.net.HttpURLConnection.getResponseCode(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
	at sun.plugin.cache.CachedJarLoader.load(Unknown Source)
	at sun.plugin.cache.JarCache.get(Unknown Source)
	at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
	at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
	at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
	at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
	at sun.misc.URLClassPath$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.misc.URLClassPath.getLoader(Unknown Source)
	at sun.misc.URLClassPath.getLoader(Unknown Source)
	at sun.misc.URLClassPath.getResource(Unknown Source)
	at java.net.URLClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(Unknown Source)
	at sun.applet.AppletClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.applet.AppletClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.applet.AppletClassLoader.loadCode(Unknown Source)
	at sun.applet.AppletPanel.createApplet(Unknown Source)
	at sun.plugin.AppletViewer.createApplet(Unknown Source)
	at sun.applet.AppletPanel.runLoader(Unknown Source)
	at sun.applet.AppletPanel.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.
###@###.### 2004-12-09 16:04:36 GMT

EVALUATION This bug is actually a duplicate of 6356776. CR 6356776 was fixed as a side effect of 6226610.
29-07-2010
EVALUATION The bug only happended when set the http content-length request property. From the webbug (http://forum.java.sun.com/thread.jspa?threadID=409214&tstart=240) descruption and discuss, the bug is caused by the issue of conn.setRequestProperty( "Content-Length", "total bytes" ), which has been fixed by 6226610, and the fix is integrated into jdk 6 and 1.4.2_13
24-04-2007
EVALUATION Cannot replay the bug on Squid proxy with NTLM, retarget to Dolphin.
14-10-2005
EVALUATION The exception is thrown in JSSE. Reassign to the networking/security team. ###@###.### 2004-12-09 22:39:18 GMT Looks like there is a couple things. First is that we are missing the CONNECT line. Second is the null pointer. Could be related. Anyway, needs investigation. It could be a network issue with the http/proxied connect code. Bug filed against 1.4.2_05, don't know if it is a regression or affects later versions of the product. Girish, does customer or other bug reports mention if JDK 5.0 fixes the issue? ###@###.### 2004-12-16 17:59:26 GMT
09-12-2004