Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 181320

Summary: regression in cvs access over socks proxy in 3.3 M6
Product: [Eclipse Project] Platform Reporter: Daniel Friederich <danielfriederich>
Component: TeamAssignee: Michael Valenta <Michael.Valenta>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: pawel.pogorzelski1
Version: 3.3   
Target Milestone: 3.3 M7   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description Daniel Friederich CLA 2007-04-05 16:57:55 EDT 
Build ID: I20070323-1616

Steps To Reproduce:
See below. to reproduce access to our firewall from inside is necessary, but I think the issue is clear.

More information:
With 3.2, there is an separate "Proxy Settings" preference page 
under Team->Cvs. Under this page, I'm able to explicitely specify
to use a Socks5 proxy (and not a HTTP one). With this setting I'm able to access dev.eclipse.org with anonymous  pserver access.

With 3.3, this preference page is gone. Instead there is now a "General->Network Connections" preference page which lets me specify the socks proxy and the http proxy at the same time, but it does not let me specify to use a socks and not HTTP proxy for cvs access anymore.

If I try to use 3.3 with both the socks and the http proxy properly configured, then I'm not able to reach dev.eclipse.org with anonymous cvs access :-(
The error message is:
"Could not connect to :pserver:annonymous@dev.eclipse.org:/cvsroot/tools: I/O exception occured: ProxyHTTP: java.io.IOException: proxy error: Forbidden. Set project sharing anyway?"

The ProxyHTTP part in there, and the observation that the connection actually works if I do not specify the HTTP proxy at all let me believe that 3.3 does no longer support the setup I have here in my office.
Comment 1 Atsuhiko Yamanaka CLA 2007-04-05 22:21:56 EDT 
(In reply to comment #0)
> The ProxyHTTP part in there, and the observation that the connection actually
> works if I do not specify the HTTP proxy at all let me believe that 3.3 does no
> longer support the setup I have here in my office.

In the current implementation, pserver in Eclipse 3.3M6 will choose SOCKS
server if the settings for HTTPS proxy(HTTP CONNECT tunneling) and SOCKS proxy
are simultaneously given on the Preference page.

I think this heuristics is reasonable, because, thanks to the check box
"Use this proxy server for all protocols" on the Preference page,
the field for SOCKS will be always filled even if users are not behind the SOCKS server.

IMHO, if that check box changes its behavior(ignoring SOCKS field), it must
be reasonable that pserver will choose SOCKS server in your case.
Comment 2 Daniel Friederich CLA 2007-04-05 22:42:39 EDT 
(In reply to comment #1)
> 
> In the current implementation, pserver in Eclipse 3.3M6 will choose SOCKS
> server if the settings for HTTPS proxy(HTTP CONNECT tunneling) and SOCKS proxy
> are simultaneously given on the Preference page.
That does sound resonable, but that's not what I experience. For me the connection works only if the SOCKS proxy is given and the SSL proxy is empty. Once the SSL proxy is specified I get the mentioned ProxyHTTP error.
So for me it looks as if it does not choose SOCKS if both proxies are specified, not even as fallback when the SSL or HTTP proxy fails.

> 
> I think this heuristics is reasonable, because, thanks to the check box
> "Use this proxy server for all protocols" on the Preference page,
> the field for SOCKS will be always filled even if users are not behind the
> SOCKS server.

Actually I cannot follow here. I personally do not have the "Use this proxy server for all protocols" checked because the SOCKS proxy is running on the same machine, but it uses another port. So I did configure all 3 entries explicitly. 

> 
> IMHO, if that check box changes its behavior(ignoring SOCKS field), it must
> be reasonable that pserver will choose SOCKS server in your case.
> 

I did not see anything special with the "Use this proxy server for all protocols" checkbox. It just does not work when this one is checked and that's not unexpected given the non working behavior when it is not checked and the individual fields are similarly configured.
Comment 3 Atsuhiko Yamanaka CLA 2007-04-05 22:46:26 EDT 
(In reply to comment #1)
> In the current implementation, pserver in Eclipse 3.3M6 will choose SOCKS
> server if the settings for HTTPS proxy(HTTP CONNECT tunneling) and SOCKS proxy
> are simultaneously given on the Preference page.

Oops, that is typo.  I meant that HTTPS proxy will be choosed as you have
encountered.
Comment 4 Atsuhiko Yamanaka CLA 2007-04-05 22:55:23 EDT 
(In reply to comment #2)
> (In reply to comment #1)
> > 
> > In the current implementation, pserver in Eclipse 3.3M6 will choose SOCKS
> > server if the settings for HTTPS proxy(HTTP CONNECT tunneling) and SOCKS proxy
> > are simultaneously given on the Preference page.
> That does sound resonable, but that's not what I experience. 

Yes, you are right.  HTTPS will be chosen in that case.

> Actually I cannot follow here. I personally do not have the "Use this proxy
> server for all protocols" checked because the SOCKS proxy is running on the
> same machine, but it uses another port. So I did configure all 3 entries
> explicitly. 

Yes, I agree with you again.  The SOCKS proxy field should be filled by users
who are behind the SOCKS server and it must be really rare case that 
the fileds for HTTP and SOCKS have the same value.
Comment 5 Michael Valenta CLA 2007-04-09 09:04:21 EDT 
I think what you suggest makes sense. CVS should use the most general proxy type (SOCKS) if it is available and only use SSL if no SOCKS proxy is specified.
Comment 6 Michael Valenta CLA 2007-04-09 09:54:45 EDT 
I have changed the code to check for SOCKS first and then HTTPS (SSL). I did this in both the CVS pserver case and the general SSH2 case.
Comment 7 Atsuhiko Yamanaka CLA 2007-04-09 22:35:47 EDT 
(In reply to comment #6)
> I have changed the code to check for SOCKS first and then HTTPS (SSL). I did
> this in both the CVS pserver case and the general SSH2 case.

Is there a plan to change the behavior of the checkbox 
"Use this proxy server for all protocols" ?  If there is no plan,
I guess your fix will make other bug reports.
Comment 8 Michael Valenta CLA 2007-04-10 09:57:49 EDT 
Can you explain what you mean? What issue are you referring to? How would you like to see it addressed? I need to understand the issue before I can do anything about it. Or are you just saying that users don't understand the implications of enabling the "Use this proxy server for all protocols"  (as indicated by bug 181655)?
Comment 9 Pawel Pogorzelski CLA 2009-03-03 11:49:57 EST 
(In reply to comment #6)
> I have changed the code to check for SOCKS first and then HTTPS (SSL). I did
> this in both the CVS pserver case and the general SSH2 case.
> 

This resolution doesn't support users having HTTPS proxy defined and wishing to connect directly to CVS server using pserver. In such case fall back policy ignores null entry for SOCKS proxy and chooses HTTPS entry. Bug 265277 has been opened to track this problem.

My question is: do we need such a fall back policy? Wouldn't it be better to require exact settings from user?

IMO another problem is the level on which this fallback happens. Shouldn't it try to make connection using SOCKS proxy settings and if it fails try to connect with HTTPS settings.