JDK Tutorials - Herong's Tutorial Examples - v6.32, by Herong Yang
Connecting to HttpsHello.java with IE
This section provides a tutorial example on how to test my HTTPS server program, HttpsHello.java with the IE (Internet Explorer) browser. IE requires the HTTPS certificate's owner name matching the server host name.
Now let's use Internet Explorer (IE) to connect to my HTTPS server program HttpsHello.java.
Test 1 - First run HttpsHello.java again in JDK 1.8 with SSL debug mode turned on:
herong> java -Djavax.net.debug=ssl:record HttpsHello.java Server started: Server socket class: class com.sun.net.ssl.internal.ssl.SSLServerSocketImpl Socket address = 0.0.0.0/0.0.0.0 Socket port = 8888 Need client authentication = false Want client authentication = false Use client mode = false
Then run IE 10 with https://localhost:8888, the browser will try to make a connection and come back with an error message: "This page can't be displayed".
But on the HttpsHello.java execution window, you will this exception:
java.net.SocketException: Connection closed by remote host at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(U... at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unkn... at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(Unknown S... at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(Unkn... at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(Unknown So... at sun.nio.cs.StreamEncoder.flush(Unknown Source) at java.io.OutputStreamWriter.flush(Unknown Source) at java.io.BufferedWriter.flush(Unknown Source) at HttpsHello.main(HttpsHello.java:40)
So why my HttpsHello.java is getting this "Connection closed by remote host" exception? The code logic in HttpsHello seems to be correct. According to the output message, the accept() is returning a good SSLSocket. The code reads the first line from the HTTP request, then writes back a HTTP response. This is exactly how we would code for non-SSL HTTP communication.
After testing HttpsHello.java with a network debugger for a number of times, I finally found why HttpsHello.java is not working with IE. The trouble is caused by the self-signed certificate.
When IE reaches a HTTPS server and gets a certificate that failed to pass the validation rules (because the certificate is signed by any trusted CA), it will abandon the connection, and display a security alert to the user. If the user wants to ignore the validation error and continue with the HTTP request, IE will make another connection to the server.
As you can see, HttpsHello.java is not designed to handle this abandoned connection. HttpsHello.java is not aware the fact that the client has already closed the connection, and still tries to write the HTTP response back to the connection. Of course, it will get an exception.
To help IE to avoid the certificate validation issue, we can import my_home.crt into IE as a trusted certificate.
Test 2 - Run IE and click "Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities".
Click the "Import" button, and import my_home.crt as a trusted certificate.
Now run HttpsHello.java again.
herong> java -Djavax.net.debug=ssl:record HttpsHello
Then run IE 10 with https://localhost:8888, the browser will try to make a connection and come back with a different error message: "There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address."
We are making progress. But IE is still not 100% happy about the certificate, because the subject of the certificate is "Herong Yang" which does not match the host name "localhost". Apparently, IE validates certificate with 3 major rules:
To make IE happy, I repeated the test with another self-signed certificate for "localhost",
Test 3 - Generated a self-signed certificate for "localhost":
herong> keytool -genkeypair -alias my_host -keystore herong.jks Enter keystore password: HerongJKS What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: My Unit What is the name of your organization? [Unknown]: My Home What is the name of your City or Locality? [Unknown]: My City What is the name of your State or Province? [Unknown]: My State What is the two-letter country code for this unit? [Unknown]: US Is <CN=localhost, OU=My Unit, O=My Home, L=My City, ST=My State, C=US> correct? [no]: yes Enter key password for <my_host> (RETURN if same as keystore password): My1stKey herong> keytool -exportcert -alias my_host -file my_host.crt -keystore herong.jks -storepass HerongJKS
Import my_host.crt into IE as a trusted certificate.
Now run HttpsHello.java again.
herong> java -Djavax.net.debug=ssl:record HttpsHello
Then run IE with https://localhost:8888, the browser will try to make a connection and come back with "Hello world!" this time.
Very nice. Our HttpsHello.java works like a HTTPS server on IE 10 now.
To keep IE clean after finishing tests, we should remove "Herong Yang" and "localhost" certificates. Run IE, and go to "Tools", "Internet Options", "Content", "Certificates", and "Trusted Root Certificate Authorities". You should be able to find them and remove them.
Table of Contents
Date, Time and Calendar Classes
Date and Time Object and String Conversion
Number Object and Numeric String Conversion
Locales, Localization Methods and Resource Bundles
Calling and Importing Classes Defined in Unnamed Packages
HashSet, Vector, HashMap and Collection Classes
Character Set Encoding Classes and Methods
Encoding Conversion Programs for Encoded Text Files
Datagram Network Communication
DOM (Document Object Model) - API for XML Files
DTD (Document Type Definition) - XML Validation
XSD (XML Schema Definition) - XML Validation
XSL (Extensible Stylesheet Language)
Message Digest Algorithm Implementations in JDK
Private key and Public Key Pair Generation
PKCS#8/X.509 Private/Public Encoding Standards
Digital Signature Algorithm and Sample Program
"keytool" Commands and "keystore" Files
KeyStore and Certificate Classes
Secret Key Generation and Management
Cipher - Encryption and Decryption
The SSL (Secure Socket Layer) Protocol
SSL Socket Communication Testing Programs
►HTTPS (Hypertext Transfer Protocol Secure)
HttpsHello.java - HTTPS Server Test Program
HttpsClient.java - HTTPS Client Test Program
HttpsClient.java Failed with JDK 1.8
HTTPS Server with Expired Certificate
►Connecting to HttpsHello.java with IE