Working double handshake

Author: gthea

src/main/java/io/split/android/client/network/HttpOverTunnelExecutor.java

@@ -9,6 +9,7 @@
 import java.util.Map;
 
 import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
 
 import io.split.android.client.utils.logger.Logger;
 
@@ -42,6 +43,7 @@ public HttpOverTunnelExecutor() {
      * @param method HTTP method for the request
      * @param headers Headers to include in the request
      * @param body Request body (null for GET requests)
+     * @param combinedSslSocketFactory The combined SSL socket factory to use for HTTPS origins
      * @return HttpResponse containing the server's response
      * @throws IOException if the request execution fails
      */
@@ -51,21 +53,22 @@ public HttpResponse executeRequest(
             @NonNull URL targetUrl,
             @NonNull HttpMethod method,
             @NonNull Map<String, String> headers,
-            @Nullable String body) throws IOException {
+            @Nullable String body,
+            @NonNull SSLSocketFactory combinedSslSocketFactory) throws IOException {
 
-        Logger.v("Executing " + method + " request to " + targetUrl + " through SSL tunnel");
+        Logger.v("Executing request through SSL tunnel to: " + targetUrl);
 
         try {
             if ("https".equalsIgnoreCase(targetUrl.getProtocol())) {
                 // For HTTPS origins, we still need to establish SSL connection to origin
-                // through the tunnel
-                return executeHttpsRequest(tunnelSocket, targetUrl, method, headers, body);
+                // through the tunnel using the combined SSL socket factory
+                return executeHttpsRequest(tunnelSocket, targetUrl, method, headers, body, combinedSslSocketFactory);
             } else {
                 // For HTTP origins, send request directly through tunnel
                 return executeHttpRequest(tunnelSocket, targetUrl, method, headers, body);
             }
-            
-        } catch (IOException e) {
+        } catch (Exception e) {
+            Logger.e("Failed to execute request through tunnel: " + e.getMessage());
             e.printStackTrace();
             throw new IOException("Failed to execute HTTP request through tunnel to " + targetUrl, e);
         }
@@ -80,39 +83,45 @@ private HttpResponse executeHttpsRequest(
             @NonNull URL targetUrl,
             @NonNull HttpMethod method,
             @NonNull Map<String, String> headers,
-            @Nullable String body) throws IOException {
+            @Nullable String body,
+            @NonNull SSLSocketFactory combinedSslSocketFactory) throws IOException {
 
         Logger.v("Establishing SSL connection to HTTPS origin through tunnel");
 
-        // The tunnel is established and working (we're past the SSL protocol errors).
-        // The issue now is that we're sending HTTP requests to an HTTPS origin.
-        // We need to perform SSL handshake with the origin server through the tunnel.
+        // After CONNECT, the tunnel is transparent and we need to establish
+        // a new SSL connection to the origin server through the tunnel.
+        // This implements the "onion layering" architecture:
+        // - Outer layer: SSL connection to proxy (already established)
+        // - Inner layer: SSL connection to origin (through tunnel)
 
         try {
-            // Create SSL context and engine for manual SSL handling
-            javax.net.ssl.SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("TLS");
-            sslContext.init(null, null, null);
-            
-            javax.net.ssl.SSLEngine sslEngine = sslContext.createSSLEngine(targetUrl.getHost(), getTargetPort(targetUrl));
-            sslEngine.setUseClientMode(true);
-            
-            // Begin SSL handshake
-            sslEngine.beginHandshake();
+            // Use the same combined SSL socket factory that was used for the tunnel
+            // This factory contains both proxy CA and origin CA certificates
+            // so it can validate both proxy and origin server certificates
 
-            // Get the tunnel socket's streams
-            java.io.InputStream tunnelInput = tunnelSocket.getInputStream();
-            java.io.OutputStream tunnelOutput = tunnelSocket.getOutputStream();
+            // Create SSL socket to origin server using tunnel socket as the underlying transport
+            // This uses the correct SSLSocketFactory.createSocket(Socket, String, int, boolean) method
+            javax.net.ssl.SSLSocket originSslSocket = (javax.net.ssl.SSLSocket) 
+                combinedSslSocketFactory.createSocket(
+                    tunnelSocket,           // Use tunnel socket as underlying transport
+                    targetUrl.getHost(),    // Origin server hostname
+                    getTargetPort(targetUrl), // Origin server port
+                    false                   // Don't auto-close underlying socket
+                );
 
-            // Perform SSL handshake using the tunnel streams
-            performSslHandshake(sslEngine, tunnelInput, tunnelOutput);
+            // Configure SSL socket for client mode
+            originSslSocket.setUseClientMode(true);
 
-            Logger.v("SSL handshake with origin server completed through tunnel");
+            // Perform SSL handshake with origin server through tunnel
+            Logger.v("Performing SSL handshake with origin server through tunnel");
+            originSslSocket.startHandshake();
+            Logger.v("SSL handshake with origin server completed successfully");
 
-            // Now we can send HTTP requests through the SSL engine
-            sendHttpRequestThroughSsl(sslEngine, tunnelInput, tunnelOutput, targetUrl, method, headers, body);
+            // Now send HTTP request through the SSL connection to origin
+            sendHttpRequest(originSslSocket, targetUrl, method, headers, body);
 
-            // Read and parse HTTP response through SSL engine
-            HttpResponse response = readHttpResponseThroughSsl(sslEngine, tunnelInput, tunnelOutput);
+            // Read and parse HTTP response from origin
+            HttpResponse response = mResponseParser.parseHttpResponse(originSslSocket.getInputStream());
 
             Logger.v("HTTPS request completed successfully, status: " + response.getHttpStatus());
             return response;

src/main/java/io/split/android/client/network/ProxyCacertConnectionHandler.java

@@ -77,7 +77,8 @@ public HttpResponse executeRequest(@NonNull HttpProxy httpProxy,
                 targetUrl,
                 method,
                 headers,
-                body
+                body,
+                sslSocketFactory  // Pass the combined SSL socket factory for HTTPS origins
             );
 
             Logger.v("PROXY_CACERT request completed successfully, status: " + response.getHttpStatus());

src/main/java/io/split/android/client/network/SslProxyTunnelEstablisher.java

@@ -54,18 +54,22 @@ public SSLSocket establishTunnel(@NonNull String proxyHost,
             // Step 1: Create raw socket connection to proxy
             System.out.println("Step 1: Creating raw socket connection to proxy...");
             rawSocket = new Socket(proxyHost, proxyPort);
+            rawSocket.setSoTimeout(10000); // 10 second timeout
             System.out.println("Raw socket connected to proxy: " + proxyHost + ":" + proxyPort);
 
             // Step 2: Create SSL engine for proxy authentication using custom CA certificates
-            System.out.println("Step 2: Creating SSL engine for proxy authentication...");
+            System.out.println("Step 2: Creating SSL socket for proxy authentication...");
 
             // We need to use the provided SSLSocketFactory which contains the custom CA certificates
             // Create a temporary SSL socket to establish the SSL session with proper trust validation
             sslSocket = (SSLSocket) sslSocketFactory.createSocket(rawSocket, proxyHost, proxyPort, false);
             sslSocket.setUseClientMode(true);
+            sslSocket.setSoTimeout(10000); // 10 second timeout
+            System.out.println("SSL socket created successfully");
 
             // Perform SSL handshake using the SSL socket with custom CA certificates
             System.out.println("Performing SSL handshake with custom CA certificates...");
+            System.out.println("About to call sslSocket.startHandshake()...");
             sslSocket.startHandshake();
             System.out.println("SSL handshake completed successfully with custom CA validation");
 

src/test/java/io/split/android/client/network/HttpClientTunnellingProxyTest.java

@@ -370,6 +370,8 @@ public void run() {
 
                 javax.net.ssl.SSLServerSocketFactory factory = sslContext.getServerSocketFactory();
                 mServerSocket = factory.createServerSocket(mPort);
+                mPort = mServerSocket.getLocalPort(); // Update mPort with the actual assigned port
+                
                 // Don't require client auth - this is server-only SSL
                 ((javax.net.ssl.SSLServerSocket) mServerSocket).setWantClientAuth(false);
                 ((javax.net.ssl.SSLServerSocket) mServerSocket).setNeedClientAuth(false);
@@ -444,7 +446,7 @@ private static class TunnelProxy extends Thread {
         // Latch to signal that a CONNECT tunnel was established
         private final CountDownLatch mTunnelLatch = new CountDownLatch(1);
         // Port to listen on (0 = auto-assign)
-        protected final int mPort;
+        protected int mPort;
         // The server socket for accepting connections
         public ServerSocket mServerSocket;
         // Flag to control proxy shutdown