SOCKSv4 traversal broken? (original) (raw)
Damjan Jovanovic damjan.jov at gmail.com
Wed Feb 24 09:31:51 PST 2010
- Previous message: hg: jdk7/tl/jdk: 4 new changesets
- Next message: hg: jdk7/tl/jdk: 6929382: Various core classes in util and elsewhere are missing @param tags
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
While working on another issue with SOCKS proxies (https://bugs.openjdk.java.net/show_bug.cgi?id=100130), I picked up this problem.
Currently, in both OpenJDK6 and OpenJDK7, java.net.SocksSocketImpl always tries to talk to a SOCKS proxy using SOCKSv5, and if that fails it falls back to SOCKSv4. (There is also a way to only use SOCKSv4, with the private useV4 boolean field, but that is only written to from the setV4 method, which is not called from anywhere in the openjdk codebase.)
The problem is that the SOCKSv4 specification says "The SOCKS server closes its connection immediately after notifying the client of a failed or rejected request" and SOCKSv5 RFC says "When a reply (REP value other than X'00') indicates a failure, the SOCKS server MUST terminate the TCP connection shortly after sending the reply. This must be no more than 10 seconds after detecting the condition that caused a failure.". Retrying with a different SOCKS version on the same connection thus isn't ever supposed to work.
So SOCKSv4 should be completely broken in practice.
Since SocksSocketImpl is a socket that can only connect once, should we first be making a connection through a different socket to check the SOCKS version?
Most applications avoid this problem by treating SOCKSv4 and SOCKSv5 proxies as completely different proxy types.
Thank you Damjan Jovanovic
- Previous message: hg: jdk7/tl/jdk: 4 new changesets
- Next message: hg: jdk7/tl/jdk: 6929382: Various core classes in util and elsewhere are missing @param tags
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]