jQuery in Action, 3rd edition
The moose likes Security and the fly likes HTTP and HTTPS on same port?? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "HTTP and HTTPS on same port??" Watch "HTTP and HTTPS on same port??" New topic

HTTP and HTTPS on same port??

Sander Smith

Joined: May 20, 2006
Posts: 4
I have a Tomcat application that opens an HTTPS socket for incoming requests. I can go to https://website (or https://website:443) and things work beautifully.

However, if I try to go to http://website:443 things don't work so well. The browser simply shows some garbage characters that I'm assuming are a part of an SSL handshake that will never complete. BTW, I know that what I'm asking about here is fundamentally wrong - I'm looking into it because of the way a poorly-designed applet (that I have no control over) is working.

Anyway, what I would *LIKE* to have happen is this:

Browse to http://website:443
The server performs a redirect to https://website
The browser now goes to the right place
Life is good

In looking at the SSL spec, I don't see why this can't happen. The server (that's expecting https connections) should be able to figure out that something is wrong since the client is not sending a ClientHello message. When it determines this, it can simply reply using regular old HTTP and issue the redirect.

I have a feeling that my argument is somehow flawed, but can't figure out why. Anyone have any ideas? Anyone have any ideas on how to actually implement such a thing?

Sander Smith
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
In principal you could implement HTTPS in this way, I suppose. It's a special non-standard case of error handling, though, so it might violate the protocol (which probably specifies precisely what should happen in case of a "broken" HTTPS stream).

As a possible workaround you could try to detect URLs like that with an Apache server and the mod_rewrite module. I'm not sure whether it's not too late by the time mod_rewrite sees the request, though.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
subject: HTTP and HTTPS on same port??
jQuery in Action, 3rd edition