RE: SSL on Tomcat standalone not working

Wed, 11 Sep 2002 11:26:22 -0700 

https:// will indicate to the browser that it should use SSL. If the browser
contacts the server (on port 443) without using SSL one of three things can
happen:
1. connection fails, nothing on that port
2. connection succeeds, protocol invalid request rejected
3. connection succeeds, timeout occurs for whatever reason
4. connection succeeds, protocol valid request accepted

Cases 1., 3. and 4.  should not be valid as per your argument since there is
something at port 443, and we do know that without SSL it won't fly... so we
are left with case 2.

Tomcat does not handle case 2. the same way as (whatever) server is used by
www.paypal.com to service port 443. If the two servers were identical in
their behavior the browser reply (to the user) would be the same. It seems
(based on my trouble shooting) that the standalone tomcat (with SSL enabled)
will return a valid (text) response with unprintable characters in it. It
does not matter what version or type of browser you are using you will get
the same garbage returned by Tomcat if you misspell your URL (using
http://server:8443/... instead of https://server:8443/...).

I was asking the question because I am not that familiar with the exact
semantics of SSL negotiations. But I suspect that there is a better (perhaps
prescribed by the spec) way for a server (e.g. Tomcat) to reject non SSL
requests on an SSL enabled port...

P.S. John, are you part of the development team for Tomcat?

Michael Petres
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
InnovObjX Corp.
Web: www.innovobjx.com
Tel: 905-729-2235 x3
Fax: 905-729-2235
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: Turner, John [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 11, 2002 2:01 PM
To: 'Tomcat Users List'
Subject: RE: SSL on Tomcat standalone not working


Hmmm....not to argue, but I think you missed my point.  The Paypal server
didn't reply that "there was nothing at http://";...  I specified port number
443, and there most definitely IS something there, and that something is
www.paypal.com .  My request was not successful because my browser didn't
know I wanted a SSL connection, not because the URL was invalid.  "http" and
"https" are not host identifiers.

John

> -----Original Message-----
> From: Michael Petres [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 11, 2002 1:52 PM
> To: Tomcat Users List
> Subject: RE: SSL on Tomcat standalone not working
>
>
> That is because when you type in http://www.paypal.com:443
> the Paypal server
> returns the appropriate reply to the browser informing it
> that there is no
> page that resolves to that URL.
>
> Assuming that you put a standalone Tomcat server to serve
> this stuff at
> Paypal you would expect the same message if someone types in
> http://...
> instead of https://... Tomcat however will return a text
> string that has
> some non-printable characters in it, i.e. it does not notify
> the browser
> that there is nothing at the http://... address rather it serves up
> garbage...
>
> Michael Petres
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> InnovObjX Corp.
> Web: www.innovobjx.com
> Tel: 905-729-2235 x3
> Fax: 905-729-2235
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> -----Original Message-----
> From: Turner, John [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 11, 2002 1:47 PM
> To: 'Tomcat Users List'
> Subject: RE: SSL on Tomcat standalone not working
>
>
> I don't think its a Tomcat issue.  I think it's more of a
> browser issue.  If
> you use "http", the browser doesn't know you intend to
> connect using SSL,
> regardless of port number.  Try it with paypal, for example:
> Paypal doesn't
> accept non-SSL requests at www.paypal.com.  If you try to
> connect using
> http://www.paypal.com:443 you get an error message.  Not a
> Paypal error
> message, but a browser error message.  Port number isn't the
> key to starting
> a SSL connection with a webserver...the "https" is, at least
> on the browser
> side.
>
> John
>
>
> > -----Original Message-----
> > From: Michael Petres [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 11, 2002 1:33 PM
> > To: Tomcat Users List
> > Subject: RE: SSL on Tomcat standalone not working
> >
> >
> > Great tip :), of course you need to use https://, what an
> > oversight on my
> > part... oh well
> >
> > But shouldn't Tomcat return an error page if  someone types in
> > http://servername:8443/.... by mistake? It is rather
> > ambiguous what's going
> > on with the current return of ''
> >
> > Michael Petres
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > InnovObjX Corp.
> > Web: www.innovobjx.com
> > Tel: 905-729-2235 x3
> > Fax: 905-729-2235
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to