JDK-6205816 : HTTP spoken on HTTPS port
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 5.0
  • Priority: P3
  • Status: Closed
  • Resolution: Cannot Reproduce
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2004-12-08
  • Updated: 2010-04-02
  • Resolved: 2005-01-10
Related Reports
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.4.2_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_06-b03)
Java HotSpot(TM) Client VM (build 1.4.2_06-b03, mixed mode)
and
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode, sharing)


ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
The 1.4.2_xx and 1.5.0 plugin in IE attempts to load applets using HTTP even though it's connected to an ssl port.

This causes ssl errors at the server.

Even worse, it's sending the base64-encoded username/password across a cleartext connection.

This happens only from the Java 1.4.2_05 plugin running in IE.
Prior versions of the 1.4.2 plugin did not have this problem.
Mozilla does not have this problem.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Load an applet over an ssl connection from a server that requires authentication.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The plugin should use HTTPS when connected to an ssl port.
ACTUAL -
The plugin used HTTP to an ssl port.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Apache/openssl reports errors like this:

httpd[28350]: [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
httpd[28350]: [error] OpenSSL: error:1407609C:lib(20):func(118):reason(156)

We get these twice in a row. Once for the first attempt to get the jar (without sending the authentication), then again on the second attempt to get the jar (with the authentication).

I get a slightly different message from a server with a slightly different setup:

httpd[891]: [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
httpd[891]: [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]

Here's a packet capture (with some sensitive info x'd out). Note the HTTP rather than HTTPS:

HEAD /viewers/xxxx.jar HTTP/1.1
Accept: */*
Host: xxxxxxx.xxx.net
Content-Length: 0
Cache-Control: no-cache
Cookie: xxx_xxxx_xxxxxxx=false; PHPSESSID=02ef56140385090cf6890514a472127f; ISSUserID=###@###.###; ISSSessionID=2314DB7E-387C-4086-991B-63156DBD63F9

HTTP/1.1 401 Authorization Required
Date: Thu, 16 Sep 2004 15:28:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="Xxxxxxxxx Xxxxx Xxxxxxxxx Xxxxxxxxx"
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.<P>
</BODY></HTML>

HEAD /xxxxxxx/xxxx.jar HTTP/1.1
Accept: */*
Host: xxxxxxx.xxx.net
Content-Length: 0
Cache-Control: no-cache
Cookie: xxx_xxxx_xxxxxxx=false; PHPSESSID=02ef56140385090cf6890514a472127f; ISSUserID=###@###.###; ISSSessionID=2314DB7E-387C-4086-991B-63156DBD63F9
Connection: Keep-Alive
Authorization: Basic YWRtaW46cXVha2VpcHM=



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Any applet will do. The problem is with the loading of the applet.
---------- END SOURCE ----------
###@###.### 2004-12-08 16:42:52 GMT