Skip to content

Httpclient 2368 - Support multiple TLS handshakes for HTTPS-proxy flows #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Httpclient 2368 - Support multiple TLS handshakes for HTTPS-proxy flows #519

wants to merge 1 commit into from

Conversation

arturobernalg
Copy link
Member

HI @ok2c
Not sure if this is a stupid idea or makes any sense,
but to solve HTTPCLIENT-2368 I’m proposing only a change in InternalDataChannel.startTls(...):

Detect and clear any existing SSLIOSession, revert to raw I/O, then install a fresh SSLIOSession so startTls(...) can run twice (proxy → CONNECT → target) on the same channel without error.

Let me know if this narrow patch makes sense or if you’d prefer a different approach.

@arturobernalg
HTTPCLIENT-2368: Allow multiple TLS handshakes in InternalDataChannel.
ef7e8b6 
This patch ensures that any existing SSLIOSession is cleared and the channel reverted to raw I/O before installing a new one—allowing startTls(...) to be invoked twice (proxy → CONNECT → target) on the same connection without error.
@arturobernalg arturobernalg requested a review from ok2c May 8, 2025 13:25
@ok2c
Copy link
Member

ok2c commented May 11, 2025

@arturobernalg The problem is not about executing TLS handshakes multiple times but about running multiple TLS sessions over the same connection layered one over another.

@arturobernalg
Copy link
Member Author

@arturobernalg The problem is not about executing TLS handshakes multiple times but about running multiple TLS sessions over the same connection layered one over another.

@ok2c thanks for the deep dive—if I’m reading this right, InternalDataChannel permanently locks in TLS on the first handshake, so you simply can’t layer a second one on the same connection. Is there something I’m overlooking, or any other angle I should try?

@ok2c
Copy link
Member

ok2c commented May 23, 2025

@ok2c thanks for the deep dive—if I’m reading this right, InternalDataChannel permanently locks in TLS on the first handshake, so you simply can’t layer a second one on the same connection. Is there something I’m overlooking, or any other angle I should try?

@arturobernalg I consciously introduced this limitation at the very beginning of HttpCore 5.0 development to reduce complexity in the TLS layer. I never expected the multiple TLS session layering to apply to our problem domain. That turned out wrong. However, it proxy tunneling over HTTPS is not particularly useful or common and I see no point fixing this limitation at this moment. This is a high effort - low reward problem. There are more important things to be done. Besides, if we want TLS layering (and other advanced things) we might need to consider dropping HttpCore in favor of Netty instead.

@ok2c
Copy link
Member

ok2c commented May 23, 2025

@arturobernalg Please rather focus on apache/httpcomponents-client#580 instead or if you want to work on something really complex consider looking into an event-driven implementation of GZIP for the async transport

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ok2c ok2c Awaiting requested review from ok2c

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arturobernalg @ok2c