i am not able to run my web application on HTTPS port (secure port through
SSL) although it run fine on normal HTTP port.
Environment used to run web application is as-
GNU Classpath ver 0.98
JamVm ver 1.53
Jetty 1.6.8
Linux Debian based
IE and mozilla browser
keystore- type GKR
Crypto and SSL implementation- in GNU Classpath ver 0.98
Basically i got multiple issues while trying to run application on HTTPS
ports, some of them i was able to resolve after debugging GNU classpath
source code. Problems faced by me are described below-
Problem # 1
----------------------
-Server socket listening on HTTPS port (8443 in our case) not responding to
requests coming from browser.
After analysis, i have found that SSL server socket has been listening on
HTTPS port 8443 and accepting initial request coming from browser for
connection and creating SSL client socket in response. but after this there
is no response from SSL client socket created earlier. It seem that no input
stream is open to the client socket to read data coming from browser.
I think above issue is coming due to some bug in the SSLSocketImpl class
under gnu.javax.net.ssl.provider package. In constructor of this class,a new
Socket is created (i do not know why??) which is stored in underlyingSocket
variable of SSLSocketImpl class. All requests of read and write is then
delegated to member variable underlyingSocket. I think after copying new
socket reference to underlyingSocket variable, this socket(underlyingSocket)
is not connected to same native socket which is created in response of
initial request from browser therefore SSL client socket is not responding
to the browser request.
I have fixed this issue by not setting underlyingSocket variable to new
Socket and adding check for null at all places where underlyingSocket is
refereed. I have diverted all calls on underlyingSocket to super class of
SSLSocketImpl.
Please confirm whether is this a bug in the SSLSocketImpl class or have i
done something wrong?
Problem # 2
-----------------------
SSL handshake starts working but IllegalArgumentException exception is
coming from setLength API in Record class under gnu.javax.net.ssl.provider
package.
i think length check (between 0 and 16384 (2^14)) on SSL record is not
correct. As per SSL RFC, length of final SSL record after encryption and
compression may exceed by 2048 bytes.
I have fixed this issue by changing maximum length to 17408.
Please confirm is this the bug in the Record class?
Problem # 3
------------------------
In decrypt API of InputSecurityParameters class under
gnu.javax.net.ssl.provider package, sometimes length calculated for padding
in case of block cipher is more then size of SSL record/fragment resulting
in IllegalArgumentException.
I have seen this issue only with Internet explorer browser. At line # 173 in
this class, IllegalArgumentException comes on calling positing API of
ByteBuffer due to passing negative index.
else if (record.version().compareTo(ProtocolVersion.TLS_1) >= 0)
{
// In TLSv1 and later, the padding must be `padlen' copies of the
// value `padlen'.
byte[] pad = new byte[padlen];
//IllegalArgumentException comes at below line
((ByteBuffer) fragment.duplicate().position(record.length() - padlen
- 1)).get(pad);
for (int i = 0; i < pad.length; i++)
if ((pad[i] & 0xFF) != padlen)
badPadding = true;
if (Debug.DEBUG)
logger.logv(Component.SSL_RECORD_LAYER, "TLSv1.x padding\n{0}",
new ByteArray(pad));
}
To resolve this issue, time being i have put safe check of positive index
before the line where exception is coming.
Now even after resolving all above mentioned issues, sometimes bad
certificate or not valid signature error is coming on browser on opening
pages using HTTPS.
I have to provide HTTPS support and now i am really stuck. please guide me
in resolving SSL related issues.
--
View this message in context: http://www.nabble.com/Does-SSL--works-at-all-in-classpath-version-0.98-----tp24515738p24515738.html
Sent from the Gnu - Classpath - General mailing list archive at Nabble.com.
