Submitter uses HttpURLConnection to connect from a Swing GUI to an application server.
The connection supports tunneling HTTPS through an NTLM proxy.
The GUI uses a local copy of the Java JRE, and uses the HttpURLConnection class
The connection should use keep-alive by default since the client, proxy and server are all using HTTP/1.1. A single socket should be opened from the GUI and multiple HTTP requests should use the same socket.
Before Java 1.7.0_40, the HTTPS tunnel through the NTLM proxy would do NTLM authentication on the initial CONNECT request, but not on the following HTTP requests. The GUI would open a single socket and reuse it.
In Java 1.7.0_40 and all later JRE versions, including JRE for 1.7.0_72 and 1.8.0_20, each request results in the GUI sending a new CONNECT request to the proxy server, doing the NTLM authentication (successfully), and then creating a new tunnel and new socket to the server.
The problem this causes is that the requests take much longer because it has to create a new socket, and do the SSL handshake with the server. The request time for the second and subsequent requests should normally be around 100ms, but because of the problem, they take 3-4 seconds.
The HTTP headers between the GUI and the proxy servers appear identical in all the JRE versions, but the Java client's behavior is different.
The last good JRE is 1.7.0_25. All versions before that work also OK.
1.6.0_26
1.7.0.17
1.7.0_21
1.7.0_25
Tested all versions after that that were available for download, and none of them work.
1.7.0_40
1.7.0_45
1.7.0_51
1.7.0_67
1.7.0_71
1.7.0_72
1.8.0_20