[ jetty-Bugs-1694854 ] Jetty6: Connecting to SSL server using "http" shows garbage

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ jetty-Bugs-1694854 ] Jetty6: Connecting to SSL server using "http" shows garbage

SourceForge.net
Bugs item #1694854, was opened at 2007-04-05 09:00
Message generated for change (Comment added) made by chrishaynes
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=107322&aid=1694854&group_id=7322

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: slupton (slupton)
Assigned to: Nobody/Anonymous (nobody)
Summary: Jetty6: Connecting to SSL server using "http" shows garbage

Initial Comment:
If you attempt to connect to a https port using "http", garbage characters are displayed in the browser (using IE).  I am assuming this is part of the SSL handshake.  There really should be some sort of error page, and ideally, the possibility of providing a link or redirect to the correct address using "https".

----------------------------------------------------------------------

Comment By: Chris Haynes (chrishaynes)
Date: 2007-04-06 08:19

Message:
Logged In: YES
user_id=378980
Originator: NO

Jetty uses the Java SSL implementation provided by the JVM (usually by
SUN).

I can see one possible way of doing what you want (without providing your
own hand-crafted SSL implementation).

The Sun API documentation for SSLSocket implies that there may, somewhere,
be a cypher option which accepts unauthenticated and unencrypted
connections. You could find that option and tell the server socket you are
prepared to accept it. Then, when the 'handshake' is completed you provide
a handler for that event and inspect the cypher selected. If it is that
'null' cypher you send the warning message as a response. If the cypher
selected is a 'real' one, you let the SSL-protected connection continue.

If you can find that 'null' cypher it should be possible to set all this
up by yourself without any changes to distributed Jetty code. You might
need to change the set-up parameters (Jetty provides control over the names
of the SSL cyphers to be offered by the server), extend one or more Jetty
clases and/or add a Filter or two. With luck, only cypher set-up and one
Filter may be needed. If you make it work do tell us!

Good luck,

Chris Haynes




----------------------------------------------------------------------

Comment By: slupton (slupton)
Date: 2007-04-06 07:14

Message:
Logged In: YES
user_id=1761779
Originator: YES

I apologize ahead of time for my lack of expertise in this matter but the
reason I listed this request is that I noticed that a good few sites
(running on Apache Server) seem to be handling this case.  For example,
accessing "https://www.yale.edu" with the address "http://www.yale.edu:443"
will display such an error page.  Is there some other potential trickery
being involved with these sites that I'm missing?

----------------------------------------------------------------------

Comment By: Chris Haynes (chrishaynes)
Date: 2007-04-05 17:40

Message:
Logged In: YES
user_id=378980
Originator: NO

This is nothing to do with Jetty, and Jetty cannot do what you suggest,
since Jetty never even gets to know that there has been a failed attempt to
establish an SSL session. Telling the browser to use HTTP to connect to an
HTTPS port can never work. The fault, and only cure, is in the design of
the web page - the client and server protocols *must* match.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=107322&aid=1694854&group_id=7322

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss