You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Tsirkin Evgeny <ts...@gmail.com> on 2006/12/14 17:33:32 UTC
strange ssl tomcat response
Hello list!
First of all thank you for developing such a good software as tomcat!
I am concerned about an issue that i could not find a solutions for:
after installing and configuring tomcat 5.5 to use ssl if i am trying to
request the ssl
port with non ssl protocol i am getting a result that i can't understand -
this looks like
a strange stream of bits.
I have consulted on tomcat user list and this behaviour is reproducible by
other users.
Here are the steps to reproduce:
--------------------------------------------------------------------------------------
[1] Do a regular (vanilla) installation of tomcat (Linux and Windows i have
already tried) .
[2] Setup ssl:
Uncomment the ssl setup in server.xml create a key with the following:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
or
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
(taken from tomcat's manual)
add the keystorePass and keystoreFile to server.xml
start the tomcat and test if the ssl works .
[3] Try this in browser:
http://localhost:8443 (note the http not the https)
or
telnet localhost 8443
Note that the telnet should be done from a terminal that can show binary
output.
(rxvt,xterm will NOT do,for me gnome terminal and cmd on windows worked).
in the telnet session you will get a connection type something ,hit ENTER
and you will get
strange bits in the response.
If you are doing this in browser it will just try to download those bits
(Mozilla) or show it on the screen (IE).
I am pretty sure that this is NOT valid behaviour.
I have tried all this on :
tomcat 5.5.20
java 1.5.0_09
and
same tomcat
java 1.5.0_06
Both Linux and Windows .
-----------------------------------------------------------------------------------------------------
It was suggested by one of the users that this is a tomcat trying to do ssl
negotiating.
However it seems to me that if client is not sending the ssl negotiating
first then
server should not try to do this.Here is what i have found in rfc (TLS 1.0):
"These goals are achieved by the handshake protocol, which can be
summarized as follows: The client sends a client hello message to
which the server must respond with a server hello message, or else a
fatal error will occur and the connection will fail."
Here is the link to the users list for the discussion:
http://marc.theaimsgroup.com/?l=tomcat-user&m=116609043103294&w=2
Note also that other servers i have worked with (non-java) do not do this:
try to telnet to ssl port of gmail and you will not get any response
(connection yes,response - no).
In any case i would like to know what this response is?
Isn't it a sign for security problem or bug?
Sorry for a long post.
Thanks.
Evgeny.
Re: strange ssl tomcat response
Posted by Tsirkin Evgeny <ts...@gmail.com>.
Thanks for reply.
If i understand correctly you tried apache not tomcat,right?
The behaviour you described is exactly what i expect the tomact to do.
But in place i am getting those strange responses ("bits" as i described it)
What i am worried about is mostly security and since i don't know what this
response is I am more worried :(
Thanks.
Evgeny
On 12/14/06, Julius Davies <ju...@gmail.com> wrote:
>
> telnetting into my local apache2.2 on ssl and typeing "GET / HTTP/1.0" is
> fun!
>
> $ telnet localhost 443
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> GET / HTTP/1.0
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br
> />
> Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
> Instead use the HTTPS scheme to access this URL, please.<br />
>
>
> Maybe Tomcat could do that? But anyway, this "bug" that Evgeny is
> reporting
> is probably JVM behaviour, and not Tomcat behaviour.
>
> yours,
>
> Julius
>
>
>
> On 12/14/06, Tsirkin Evgeny <ts...@gmail.com> wrote:
> >
> > Hello list!
> > First of all thank you for developing such a good software as tomcat!
> > I am concerned about an issue that i could not find a solutions for:
> > after installing and configuring tomcat 5.5 to use ssl if i am trying to
> > request the ssl
> > port with non ssl protocol i am getting a result that i can't understand
> -
> > this looks like
> > a strange stream of bits.
> > I have consulted on tomcat user list and this behaviour is reproducible
> by
> > other users.
> > Here are the steps to reproduce:
> >
> >
> --------------------------------------------------------------------------------------
> > [1] Do a regular (vanilla) installation of tomcat (Linux and Windows i
> > have
> > already tried) .
> > [2] Setup ssl:
> > Uncomment the ssl setup in server.xml create a key with the following:
> > %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
> > or
> > $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
> > (taken from tomcat's manual)
> > add the keystorePass and keystoreFile to server.xml
> > start the tomcat and test if the ssl works .
> > [3] Try this in browser:
> > http://localhost:8443 (note the http not the https)
> > or
> > telnet localhost 8443
> > Note that the telnet should be done from a terminal that can show binary
> > output.
> > (rxvt,xterm will NOT do,for me gnome terminal and cmd on windows
> worked).
> > in the telnet session you will get a connection type something ,hit
> ENTER
> > and you will get
> > strange bits in the response.
> > If you are doing this in browser it will just try to download those bits
> > (Mozilla) or show it on the screen (IE).
> > I am pretty sure that this is NOT valid behaviour.
> > I have tried all this on :
> > tomcat 5.5.20
> > java 1.5.0_09
> > and
> > same tomcat
> > java 1.5.0_06
> > Both Linux and Windows .
> >
> >
> -----------------------------------------------------------------------------------------------------
> > It was suggested by one of the users that this is a tomcat trying to do
> > ssl
> > negotiating.
> > However it seems to me that if client is not sending the ssl negotiating
> > first then
> > server should not try to do this.Here is what i have found in rfc (TLS
> 1.0
> > ):
> > "These goals are achieved by the handshake protocol, which can be
> > summarized as follows: The client sends a client hello message to
> > which the server must respond with a server hello message, or else a
> > fatal error will occur and the connection will fail."
> > Here is the link to the users list for the discussion:
> > http://marc.theaimsgroup.com/?l=tomcat-user&m=116609043103294&w=2
> > Note also that other servers i have worked with (non-java) do not do
> this:
> > try to telnet to ssl port of gmail and you will not get any response
> > (connection yes,response - no).
> >
> > In any case i would like to know what this response is?
> > Isn't it a sign for security problem or bug?
> > Sorry for a long post.
> > Thanks.
> > Evgeny.
> >
> >
>
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/
>
>
Re: strange ssl tomcat response
Posted by Julius Davies <ju...@gmail.com>.
telnetting into my local apache2.2 on ssl and typeing "GET / HTTP/1.0" is
fun!
$ telnet localhost 443
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
GET / HTTP/1.0
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
Maybe Tomcat could do that? But anyway, this "bug" that Evgeny is reporting
is probably JVM behaviour, and not Tomcat behaviour.
yours,
Julius
On 12/14/06, Tsirkin Evgeny <ts...@gmail.com> wrote:
>
> Hello list!
> First of all thank you for developing such a good software as tomcat!
> I am concerned about an issue that i could not find a solutions for:
> after installing and configuring tomcat 5.5 to use ssl if i am trying to
> request the ssl
> port with non ssl protocol i am getting a result that i can't understand -
> this looks like
> a strange stream of bits.
> I have consulted on tomcat user list and this behaviour is reproducible by
> other users.
> Here are the steps to reproduce:
>
> --------------------------------------------------------------------------------------
> [1] Do a regular (vanilla) installation of tomcat (Linux and Windows i
> have
> already tried) .
> [2] Setup ssl:
> Uncomment the ssl setup in server.xml create a key with the following:
> %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
> or
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
> (taken from tomcat's manual)
> add the keystorePass and keystoreFile to server.xml
> start the tomcat and test if the ssl works .
> [3] Try this in browser:
> http://localhost:8443 (note the http not the https)
> or
> telnet localhost 8443
> Note that the telnet should be done from a terminal that can show binary
> output.
> (rxvt,xterm will NOT do,for me gnome terminal and cmd on windows worked).
> in the telnet session you will get a connection type something ,hit ENTER
> and you will get
> strange bits in the response.
> If you are doing this in browser it will just try to download those bits
> (Mozilla) or show it on the screen (IE).
> I am pretty sure that this is NOT valid behaviour.
> I have tried all this on :
> tomcat 5.5.20
> java 1.5.0_09
> and
> same tomcat
> java 1.5.0_06
> Both Linux and Windows .
>
> -----------------------------------------------------------------------------------------------------
> It was suggested by one of the users that this is a tomcat trying to do
> ssl
> negotiating.
> However it seems to me that if client is not sending the ssl negotiating
> first then
> server should not try to do this.Here is what i have found in rfc (TLS 1.0
> ):
> "These goals are achieved by the handshake protocol, which can be
> summarized as follows: The client sends a client hello message to
> which the server must respond with a server hello message, or else a
> fatal error will occur and the connection will fail."
> Here is the link to the users list for the discussion:
> http://marc.theaimsgroup.com/?l=tomcat-user&m=116609043103294&w=2
> Note also that other servers i have worked with (non-java) do not do this:
> try to telnet to ssl port of gmail and you will not get any response
> (connection yes,response - no).
>
> In any case i would like to know what this response is?
> Isn't it a sign for security problem or bug?
> Sorry for a long post.
> Thanks.
> Evgeny.
>
>
--
yours,
Julius Davies
416-652-0183
http://juliusdavies.ca/