Filip Sergeys tc wrote:
On Mon, 2002-10-21 at 11:57, Nikola Milutinovic wrote:Since neither of us is a HTTPS expert, all we can do is guess. Try to sniff packets on the network after that redirect takes place. The initial request should be encrypted, but if the second request comes in plain HTTP, then it spells "trouble".
Filip Sergeys tc wrote:
> What does sendRedirect do?
> sendRedirect launches a new HTTP request, and this request goes via
> apache again(you can see it in the apache access_log). However this
> request is in plain HTTP while the apache server is expecting HTTPS
> request(see details below). This is, I presume, causing the error. If
> somebody know the gory detail to this... I'm interested
Well, "sendRedirect" actaully doesn't launch another HTTP request - it is a job for the client to do so if it wishes. "sendRedirect" will send a HTTP response to the client of the form:
Status: 304 Redirect
Location: <location given in "sendRedirect">
The server then closes the request (HTTP/1.1 might leave the connection open, but the request is finished). The client may report on this or take further action in changing it's location to the one given in response. *The client will the initialte a new HTTP request* with the new location as URI.
Ah, I didn't know that. So the redirect is done via the client. OK what does this mean? The client does a new request(previous one was
closed, right?), apparently on port 443 again (how come?), but the
request is not encrypted. Causing an error on the apache side (handshake
fails because request in plain HTTP). Is this a browser error then. I
happens both in NS/Mozilla and IE.
> (see access_log and ssl_engine_log)One possible scenario is that Tomcat is at fault. The main question is what is actually being sent as a response from Tomcat. Try to use OpenSSL to hook up to HTTPS and simulate a HTTP request, like on telnet. Something like:
> Browser requests secure connection, handshake is successfull
> Browser sends GET request to apache server for pageX.jsp over HTTPS
> Apache decrypts and forwards request to tomcat using mod_jk
> Tomcat processes page and does sendRedirect.
> New HTTP request is send to apache (while apache is still in HTTPS
> session)
> Try to do handshake again, fails. HTTP spoken on HTTPS port.
> Error page is send back to browser.
This sounds like a browser error. BTW, I'm not up to speed with HTPPS, I thought it was just a plain HTTP over SSL connection. Is there some "session" element to it? Can you route two requests over HTTPS connection? Is HTTPS as a protocol different from HTTP?
HTTPS is indeed HTTP over SSL. SSL session is for caching information so
that on consequent requests the whole handshaking stuff is not to be
redone again.
openssl s_client -connect tomcat.domain.com:443 -cert ClientCert.pem\
-keyfile ClientKey.pem -ssl3 -rand /dev/egd-pool << EOF
GET /path/to/that.jsp HTTP/1.0
Host: tomcat.domain.com
EOF
And see what Tomcat gives back.
The only scenario that I can imagine causing this would be:
Status: 304 Redirect
Location: http://tomcat.domain.com:443/path/to/new.jsp
In other words, Tomcat and Apache both "filling in the blanks" of a redirect URI. But I'm not sure if this is even possible. Anyway, try it out and see what's actually going on.
Nixie.
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
