File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes HTTP and HTTPS on same port?? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "HTTP and HTTPS on same port??" Watch "HTTP and HTTPS on same port??" New topic

HTTP and HTTPS on same port??

Sander Smith

Joined: May 20, 2006
Posts: 4
I have a Tomcat application that opens an HTTPS socket for incoming requests. I can go to https://website (or https://website:443) and things work beautifully.

However, if I try to go to http://website:443 things don't work so well. The browser simply shows some garbage characters that I'm assuming are a part of an SSL handshake that will never complete. BTW, I know that what I'm asking about here is fundamentally wrong - I'm looking into it because of the way a poorly-designed applet (that I have no control over) is working.

Anyway, what I would *LIKE* to have happen is this:

Browse to http://website:443
The server performs a redirect to https://website
The browser now goes to the right place
Life is good

In looking at the SSL spec, I don't see why this can't happen. The server (that's expecting https connections) should be able to figure out that something is wrong since the client is not sending a ClientHello message. When it determines this, it can simply reply using regular old HTTP and issue the redirect.

I have a feeling that my argument is somehow flawed, but can't figure out why. Anyone have any ideas? Anyone have any ideas on how to actually implement such a thing?

Sander Smith
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42932
In principal you could implement HTTPS in this way, I suppose. It's a special non-standard case of error handling, though, so it might violate the protocol (which probably specifies precisely what should happen in case of a "broken" HTTPS stream).

As a possible workaround you could try to detect URLs like that with an Apache server and the mod_rewrite module. I'm not sure whether it's not too late by the time mod_rewrite sees the request, though.
I agree. Here's the link:
subject: HTTP and HTTPS on same port??