Creating Proxy cannot correctly tunnel through SSL after browser sends CONNECT request?

Question

I have been haunted for some time now trying to get my custom proxy to properly handle when the browser sends a CONNECT request. In order to keep it simple let me explain how I handle the process. Maybe at that point someone can help clarify what I'm doing wrong.

1. Create server with ServerSocketChannel on port 8080.
2. Bind that ServerSocketChannel to a Selector which essentially allows for non-blocking while the server waits for a request from port 8080.
3. As soon as I set my browser to port 8080 and send the request https://google.com it notifies the selector something sent to port 8080.
4. I get that request and see its a CONNECT so i immediately create a response "Connection Established" (request and response i send and receive are below)

Request from browser:

CONNECT google.com:443 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1 Proxy-Connection: keep-alive Host: google.com

Response I send back to browser over my normal socket:

HTTP/1.1 200 Connection established\r\nProxy-connection: Keep-alive\r\n\r\n

1. Now I wait for something to be sent from browser I was assuming at this point a SSL request would be sent but nothing ever gets sent. I'm starting to think its because I have not established a SSL handshake with the browser so its not going to send a SSL message over that default created socket. Do you think I need to close that socket over port 8080 and establish a new SecureSocket on port 8080 right before I send the connection established response back to browser? This is my next step.I know that the browser needs to send me more data after the initial CONNECT. I don't have enough data with just the CONNECT to go to server yet. I'm thinking it than needs to send me another request something like the following in SSL:

GET / Host: google.com

Once I get something like that then I can go establish my secure socket connection with the server and get back the response to send back to browser.

What you think on the right track? Its just that I get no additional message after i send connection established.

Answer 1

I get that request and see its a CONNECT so i immediately create a response "Connection Established"

That's wrong for a start. You shouldn't send "Connection Established" until you have established the connection upstream. You're lying to your client!

I'm starting to think its because I have not established a SSL handshake with the browser

Irrelevant. Once you have done so, the next thing you will get from the client is binary as far as you are concerned. All you should be doing from this point forwards is copying bytes.

Do you think I need to close that socket over port 8080 and establish a new SecureSocket on port 8080

No.

Once I get something like that then I can go establish my secure socket connection with the server

Wrong. Once you get some data from the client you should send it transparently over your existing plaintext connection with the upstream server. You don't have to engage in SSL yourself.

I don't have enough data with just the CONNECT to go to server yet.

Yes you do. You should form the upstream connection when you are told to do so, and tell the client that you have done so when you have actually done so, and not before.

What you think on the right track?

No.

Its just that I get no additional message after I send connection established.

That would suggest that you haven't actually sent anything yet. NIO code is tricky. What was the return code of the write() API?