1573132 – LWP should use a CONNECT tunnel for HTTPS requests when using a proxy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1573132 - LWP should use a CONNECT tunnel for HTTPS requests when using a proxy

Summary: LWP should use a CONNECT tunnel for HTTPS requests when using a proxy

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	perl-LWP-Protocol-https
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Pisar
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1573737
TreeView+	depends on / blocked

Reported:	2018-04-30 10:04 UTC by F. Bernattzki
Modified:	2019-11-21 14:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1573737 (view as bug list)
Environment:
Last Closed:	2019-11-21 14:49:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Upstream fix (12.70 KB, patch) 2018-05-02 07:42 UTC, Petr Pisar	no flags	Details \| Diff
Fix ported to 6.04 (13.14 KB, patch) 2019-08-07 16:40 UTC, Petr Pisar	no flags	Details \| Diff
Show Obsolete (1) View All

Description F. Bernattzki 2018-04-30 10:04:19 UTC

Description of problem:
perl-lwp-protocol-https is outdated, having issues with https and proxies as well as other issues, that were fixed in the last release 6.07.

Version-Release number of selected component (if applicable):
6.04

See Changelog for full updates: http://cpansearch.perl.org/src/OALDERS/LWP-Protocol-https-6.07/Changes

Highlights are:
* Explicitly add hostname for SNI to start_SSL (GH PR#17)
* correct behavior for https_proxy

Comment 2 Petr Pisar 2018-04-30 11:53:53 UTC

The requested LWP-Protocol-https-6.07 requires newer libwww-perl ≥ 6.06. RHEL-7 has perl-libwww-perl-6.05. We do not rebase packages without a reason.

We can look if it is possible to port missing features of fixes to RHEL's version, but for that we need to know what exact feature or a bug your are requesting.

Please contact Red Hat support that helps you identify your business case and escalate this issue.

Comment 3 F. Bernattzki 2018-04-30 13:04:28 UTC

I will explain our usage:
We do have perl scripts, that connect via http proxy towards a https servers. For this CONNECT method is required to be used. The delivered version does not accept this and is sending 'GET https://<host>' which is correctly answered by proxy with 501 - not implemented.

We had these perl scripts running successfully on debian and found now, they are not working in RHEL. We drilled it down to the updates made with this commit for LWP-Protocol-https https://github.com/libwww-perl/LWP-Protocol-https/commit/ec57b73f6a73135f37fbc147bbae99ab8d20b9aa and the corresponding patch in libwww-perl you mentioned as requirement https://github.com/libwww-perl/libwww-perl/commit/cb80c2ddb70dff2f892ade86d2aa5ce4939442f8

Comment 4 Petr Pisar 2018-05-02 07:41:08 UTC

According to "5.3.2. absolute-form" section of RFC 7230, clients can pass an absolute URL to a non-CONNECT method when talking to a proxy <https://tools.ietf.org/html/rfc7230#section-5.3.2>:

   When making a request to a proxy, other than a CONNECT or server-wide
   OPTIONS request (as detailed below), a client MUST send the target
   URI in absolute-form as the request-target.

     absolute-form  = absolute-URI

   The proxy is requested to either service that request from a valid
   cache, if possible, or make the same request on the client's behalf
   to either the next inbound proxy server or directly to the origin
   server indicated by the request-target.  Requirements on such
   "forwarding" of messages are defined in Section 5.7.

   An example absolute-form of request-line would be:

     GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1

   To allow for transition to the absolute-form for all requests in some
   future version of HTTP, a server MUST accept the absolute-form in
   requests, even though HTTP/1.1 clients will only send them in
   requests to proxies.


Proxies like Squid or Privoxy support it:

$ lwp-request -m HEAD -p 'http://s01.brq.redhat.com:3128/' https://bugzilla.redhat.com/
200 OK
Connection: close
[...]

And on the network:

09:11:12.580150 IP 10.43.2.191.33100 > 10.34.255.6.squid: Flags [P.], seq 1:168, ack 1, win 229, options [nop,nop,TS val 1158608 ecr 101516041], length 167
E....@@.@...
+..
"...L.8k.&.G........l.....
....... HEAD https://bugzilla.redhat.com/ HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: bugzilla.redhat.com
User-Agent: lwp-request/6.03 libwww-perl/6.05
[...]

09:11:13.355794 IP 10.34.255.6.squid > 10.43.2.191.33100: Flags [P.], seq 1:495, ack 168, win 122, options [nop,nop,TS val 101516832 ecr 1158608], length 494
E.."..@.;.x.
"..
+...8.LG...k.'....z.6.....
... ....HTTP/1.0 200 OK
Date: Wed, 02 May 2018 07:11:13 GMT
Server: Apache
[...]


Technically it's an issue with your proxy that does not fully implement RFC 7230.

However, I can imagine that it can be a security concern if a client needs end-do-end encryption. And also in your case a compatibility issue.

I will leave this bug report opened as a future request for using CONNECT-tunneled HTTP requests. But I strongly recommend you to contact Red Hat support that only can expedite resolving this issue.

Affected packages:

perl-LWP-Protocol-https-6.04-4.el7.noarch
perl-libwww-perl-6.05-2.el7.noarch

Comment 5 Petr Pisar 2018-05-02 07:42:27 UTC

Created attachment 1429743 [details]
Upstream fix

Comment 14 Petr Pisar 2019-08-07 16:40:55 UTC

Created attachment 1601456 [details]
Fix ported to 6.04

Comment 15 Peter Bieringer 2019-09-03 11:03:23 UTC

any update on this? Will EL7 perl-LWP-Protocol-https-6.04-4.el7.noarch get that fix?

Comment 16 Petr Pisar 2019-11-21 14:49:03 UTC

Red Hat does not plan to add this feature into Red Hat Enterprise Linux 7 and recommends you to move to Red Hat Enterprise Linux 8 that contains this feature.

Note You need to log in before you can comment on or make changes to this bug.