[ jetty-Bugs-1694854 ] Jetty6: Connecting to SSL server using "http" shows garbage

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[ jetty-Bugs-1694854 ] Jetty6: Connecting to SSL server using "http" shows garbage

Bugs item #1694854, was opened at 2007-04-05 09:00
Message generated for change (Comment added) made by gregwilkins
You can respond by visiting:

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
>Resolution: Wont Fix
Priority: 5
Private: No
Submitted By: slupton (slupton)
Assigned to: Nobody/Anonymous (nobody)
Summary: Jetty6: Connecting to SSL server using "http" shows garbage

Initial Comment:
If you attempt to connect to a https port using "http", garbage characters are displayed in the browser (using IE).  I am assuming this is part of the SSL handshake.  There really should be some sort of error page, and ideally, the possibility of providing a link or redirect to the correct address using "https".


>Comment By: Greg Wilkins (gregwilkins)
Date: 2007-04-09 03:42

Logged In: YES
Originator: NO

As chris says, this will need a great deal of help from the SSL

At this stage, we will not try to fix it, as a fair amount of effort is
required and
it is not a serious issue.   I am also cautious about returning ANY
content on a port that is meant to be encrypted - leaking the server type
can be an issue for some secure environments and the existence and format
of the error message can also
leak version information.  To allow webapp specific error pages for this
is opening
up another world of security holes.

However, I have created  http://jira.codehaus.org/browse/JETTY-290 so we
can at least track the desire for this feature.


Comment By: Chris Haynes (chrishaynes)
Date: 2007-04-06 08:19

Logged In: YES
Originator: NO

Jetty uses the Java SSL implementation provided by the JVM (usually by

I can see one possible way of doing what you want (without providing your
own hand-crafted SSL implementation).

The Sun API documentation for SSLSocket implies that there may, somewhere,
be a cypher option which accepts unauthenticated and unencrypted
connections. You could find that option and tell the server socket you are
prepared to accept it. Then, when the 'handshake' is completed you provide
a handler for that event and inspect the cypher selected. If it is that
'null' cypher you send the warning message as a response. If the cypher
selected is a 'real' one, you let the SSL-protected connection continue.

If you can find that 'null' cypher it should be possible to set all this
up by yourself without any changes to distributed Jetty code. You might
need to change the set-up parameters (Jetty provides control over the names
of the SSL cyphers to be offered by the server), extend one or more Jetty
clases and/or add a Filter or two. With luck, only cypher set-up and one
Filter may be needed. If you make it work do tell us!

Good luck,

Chris Haynes


Comment By: slupton (slupton)
Date: 2007-04-06 07:14

Logged In: YES
Originator: YES

I apologize ahead of time for my lack of expertise in this matter but the
reason I listed this request is that I noticed that a good few sites
(running on Apache Server) seem to be handling this case.  For example,
accessing "https://www.yale.edu" with the address "http://www.yale.edu:443"
will display such an error page.  Is there some other potential trickery
being involved with these sites that I'm missing?


Comment By: Chris Haynes (chrishaynes)
Date: 2007-04-05 17:40

Logged In: YES
Originator: NO

This is nothing to do with Jetty, and Jetty cannot do what you suggest,
since Jetty never even gets to know that there has been a failed attempt to
establish an SSL session. Telling the browser to use HTTP to connect to an
HTTPS port can never work. The fault, and only cure, is in the design of
the web page - the client and server protocols *must* match.


You can respond by visiting:

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
jetty-discuss mailing list
[hidden email]