|
SSL - HTTPS
Part:
1
2
3
4
(Continued from previous part...)
So why my HttpsHello is getting this "Connection closed by remote host"
exception? The code logic in HttpsHello seems to be correct. Accoring the
output message, the accept() is returning a good SSLSocket. The code reads
the first line from the HTTP request, then writes back a HTTP response.
This is exactly how we would code for non-SSL HTTP communication.
After testing HttpsHello.java with a network debugger for a number of times,
I finally found why HttpsHello.java is not working with IE. The trouble is
caused by the self-signed certificate.
When IE reaches a HTTPS server and
gets a certificate that failed to pass the validation rules, it will
abandon the connection, and display a security alert to the user.
If the user wants to ignore the validation error and continue with
the HTTP request, IE will make another connection to the server.
As you can see, HttpsHello.java is not designed to handle this abandoned
connection. HttpsHello.java is not aware the fact that the client has
already closed the connection, and still tries to write the HTTP response back
to the connection. Of course, it will get an exception.
One way to resolve this problem is to check the data returned from r.readLine().
If there is no data, we know that the connection is not a good HTTP connection.
In this case we could ignore this connection, and go to listen to the next
connection.
Another way to resolve this problem is to help IE to pass the validation
of the server's certificate. Apparently, IE validates certificate with 3 rules:
1. The certificate is issued by a trusted authority.
2. The certificate is not expired.
3. The certificate name matches the HTTPS server name.
Make IE happy, I generated another key for "localhost",
and restarted HttpsHello.java:
>\jdk\bin\keytool -genkey -alias my_host -keystore herong.jks
Enter keystore password: HerongJKS
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: My Unit
What is the name of your organization?
[Unknown]: My Home
What is the name of your City or Locality?
[Unknown]: My City
What is the name of your State or Province?
[Unknown]: My State
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=localhost, OU=My Unit, O=My Home, L=My City, ST=My State,
C=US> correct?
[no]: yes
Enter key password for <my_host>
(RETURN if same as keystore password): My1stKey
>\jdk\bin\java -cp . HttpsHello
Server started:
Server socket class:
class com.sun.net.ssl.internal.ssl.SSLServerSocketImpl
Socker address = 0.0.0.0/0.0.0.0
Socker port = 8888
Need client authentication = false
Want client authentication = false
Use client mode = false
Then run IE with https://localhost:8080,
the browser will give a security alert saying that you are about
to enter a secure web page. Click "OK" on the alert dialog box,
IE will give new another alert saying that the server's certificate
is not issued by a trusted authority.
Don't click OK to ignore this alert. Click "View Certificate" instead.
On the certificate dialog box, click "Install Certificate", and
follow the instruction to finish installing my "localhost" certificate
into IE. Remember to click "Yes" to add it to the Root Store.
Now restart HttpsHello.java and run IE with https://localhost:8888.
If you see "Hello world!" on the IE window after the first security alert,
you know that my "localhost" certificate is working correctly.
To keep IE clean, we should remove "localhost" certificate. Run IE,
and go to "Tools", "Internet Options", "Content", "Certificates", and
"Trusted Root Certificate Authorities". You should be able to find
"localhost" in the certificate list. Highlight it and remove it.
(Continued on next part...)
Part:
1
2
3
4
| 