JDK-6614957 : HttpsURLConnection not using the set SSLSocketFactory for creating all its Sockets
- Type: Bug
- Component: security-libs
- Sub-Component: javax.net.ssl
- Affected Version: 1.4.2_10,6u10
- Priority: P2
- Status: Resolved
- Resolution: Fixed
- OS: linux,solaris_7,windows_xp
- CPU: x86,sparc
- Submitted: 2007-10-10
- Updated: 2017-05-16
- Resolved: 2010-04-14
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| Other | Other | Other | JDK 6 | JDK 7 | Other |
|---|---|---|---|---|---|
| 1.4-pool,OpenJDK6Resolved | 1.4.2_18-revFixed | 1.4.2_19Fixed | 6u10Fixed  |
7 b89Fixed |
OpenJDK6Fixed |
Related Reports
|
Duplicate :
|
|
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
Description
NOTE:
The JDK versions mentioned below are versions of a Java Licensees JDK implementation and do not map directly to Sun's JDK versions. This problem was first seen
to happen between versions 1.4.2.10 and 1.4.2.11 of the licensees JDK implementation. In this implementation 1.4.2.10 maps to Sun release 1.4.2.09; 1.4.2.11 maps to Sun release 1.4.2.12. That means it might have changed in Sun's release 1.4.2.10, 1.4.2.11 or 1.4.2.12. In actual fact, we believe that this problem first occurred in 1.4.2_13 and 5.0 or greater.
--------------------------------
The issue in question is that there appears to be a change in behavior between 1.4.2.10 and 1.4.2.11
(and 1.5.*) with HTTPS URL connections. It now requires the properties https.proxyHost and https.proxyPort to be defined. However, these properties were not required in 1.4.2.10 and earlier; if the
user defines the SSLSocketFactory. Using setSSLSocketFactory allows load balancing across several proxies instead of a single property value.
if (myConnection instanceof com.sun.net.ssl.HttpsURLConnection) {
((com.sun.net.ssl.HttpsURLConnection)
myConnection).setSSLSocketFactory(new SSLTunnelSocketFactory
(System.getProperty("proxyHost"), System.getProperty("proxyPort")));
}
Simple reproducer can be found at:
http://forum.java.sun.com/thread.jspa?threadID=172539
While this example works "as is" with all java versions, if you
comment out the following section:
//set up system properties to indicate we are using a proxy
System.setProperty("https.proxyHost", proxyHost);
System.setProperty("https.proxyPort", proxyPort);
It will fail with 1.4.2.11 or higher. it also fails on Windows, Linux, and OpenVMS.
I believe (however without the source for JSSE it is hard to tell
exactly) the change can be found in the class "HttpsClient" with the
doConnect method:
Decompile doConnect() method from 1.4.2.11
protected Socket doConnect(String s, int l)
throws IOException, UnknownHostException
{
d = d == null ? getProxyHost() : d;
e = e == 0 ? getProxyPort() : e;
Socket socket = null;
if(d == null || k())
{
socket = new Socket();
if(NetworkClient.defaultConnectTimeout > 0)
socket.connect(new InetSocketAddress(s, l),
NetworkClient.defaultConnectTimeout);
else
socket.connect(new InetSocketAddress(s, l));
} else
{
try
{
socket = (Socket)AccessController.doPrivileged(new Object() /* anonymous class not found */
class _anm2 {}
);
}
catch(PrivilegedActionException privilegedactionexception)
{
throw (IOException)
privilegedactionexception.getException();
}
catch(IOException ioexception)
{
try
{
socket = new Socket();
if(NetworkClient.defaultConnectTimeout > 0)
socket.connect(new InetSocketAddress(s, l),
NetworkClient.defaultConnectTimeout);
else
socket.connect(new InetSocketAddress(s, l));
}
catch(IOException ioexception1)
{
throw ioexception;
}
}
}
if(NetworkClient.defaultSoTimeout > 0)
socket.setSoTimeout(NetworkClient.defaultSoTimeout);
return socket;
}
Same code from 1.4.2.10, notice it honors the user defined
SSLSocketFactory after checking to see https.proxyHost has been
defined...
protected Socket doConnect(String s, int j)
throws IOException, UnknownHostException
{
d = d == null ? getProxyHost() : d;
e = e == 0 ? getProxyPort() : e;
Object obj = null;
SSLSocketFactory sslsocketfactory = c;
if(d == null || i())
obj = sslsocketfactory.createSocket(s, j);
else
try
{
obj = (Socket)AccessController.doPrivileged(new
PrivilegedExceptionAction() {
public Object run()
throws IOException
{
Socket socket = new Socket();
if(HttpsClient.e() > 0)
socket.connect(new InetSocketAddress
(HttpsClient.a(a), HttpsClient.b(a)), HttpsClient.f());
else
socket.connect(new InetSocketAddress
(HttpsClient.a(a), HttpsClient.b(a)));
return socket;
}
private final HttpsClient a; /* synthetic field */
});
}
catch(PrivilegedActionException privilegedactionexception)
{
throw (IOException)
privilegedactionexception.getException();
}
catch(IOException ioexception)
{
try
{
obj = (SSLSocket)sslsocketfactory.createSocket(s,
j);
}
catch(IOException ioexception1)
{
throw ioexception;
}
}
return ((Socket) (obj));
}
This change broke the customer's application. As a workaround they
might be able to implement the https.proxyHost property; however they
believe they have several proxies that the application might load
balance across. This can not be done by setting a single
https.proxyHost property.
Comments
|