Thanks for reply. If i understand correctly you tried apache not tomcat,right? The behaviour you described is exactly what i expect the tomact to do. But in place i am getting those strange responses ("bits" as i described it) What i am worried about is mostly security and since i don't know what this response is I am more worried :( Thanks. Evgeny
On 12/14/06, Julius Davies <[EMAIL PROTECTED]> wrote:
telnetting into my local apache2.2 on ssl and typeing "GET / HTTP/1.0" is fun! $ telnet localhost 443 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. GET / HTTP/1.0 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /> Maybe Tomcat could do that? But anyway, this "bug" that Evgeny is reporting is probably JVM behaviour, and not Tomcat behaviour. yours, Julius On 12/14/06, Tsirkin Evgeny <[EMAIL PROTECTED]> wrote: > > Hello list! > First of all thank you for developing such a good software as tomcat! > I am concerned about an issue that i could not find a solutions for: > after installing and configuring tomcat 5.5 to use ssl if i am trying to > request the ssl > port with non ssl protocol i am getting a result that i can't understand - > this looks like > a strange stream of bits. > I have consulted on tomcat user list and this behaviour is reproducible by > other users. > Here are the steps to reproduce: > > -------------------------------------------------------------------------------------- > [1] Do a regular (vanilla) installation of tomcat (Linux and Windows i > have > already tried) . > [2] Setup ssl: > Uncomment the ssl setup in server.xml create a key with the following: > %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA > or > $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA > (taken from tomcat's manual) > add the keystorePass and keystoreFile to server.xml > start the tomcat and test if the ssl works . > [3] Try this in browser: > http://localhost:8443 (note the http not the https) > or > telnet localhost 8443 > Note that the telnet should be done from a terminal that can show binary > output. > (rxvt,xterm will NOT do,for me gnome terminal and cmd on windows worked). > in the telnet session you will get a connection type something ,hit ENTER > and you will get > strange bits in the response. > If you are doing this in browser it will just try to download those bits > (Mozilla) or show it on the screen (IE). > I am pretty sure that this is NOT valid behaviour. > I have tried all this on : > tomcat 5.5.20 > java 1.5.0_09 > and > same tomcat > java 1.5.0_06 > Both Linux and Windows . > > ----------------------------------------------------------------------------------------------------- > It was suggested by one of the users that this is a tomcat trying to do > ssl > negotiating. > However it seems to me that if client is not sending the ssl negotiating > first then > server should not try to do this.Here is what i have found in rfc (TLS 1.0 > ): > "These goals are achieved by the handshake protocol, which can be > summarized as follows: The client sends a client hello message to > which the server must respond with a server hello message, or else a > fatal error will occur and the connection will fail." > Here is the link to the users list for the discussion: > http://marc.theaimsgroup.com/?l=tomcat-user&m=116609043103294&w=2 > Note also that other servers i have worked with (non-java) do not do this: > try to telnet to ssl port of gmail and you will not get any response > (connection yes,response - no). > > In any case i would like to know what this response is? > Isn't it a sign for security problem or bug? > Sorry for a long post. > Thanks. > Evgeny. > > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/