Connecting to HttpsHello.java with IE

JDK Tutorials - Herong's Tutorial Examples

∟HTTPS (Hypertext Transfer Protocol Secure)

∟Connecting to HttpsHello.java with IE

This section provides a tutorial example on how to test my HTTPS server program, HttpsHello.java with the IE (Internet Explorer) browser. IE requires the HTTPS certificate's owner name matching the server host name.

Now let's use Internet Explorer (IE) to connect to my HTTPS server program HttpsHello.java.

Test 1 - First run HttpsHello.java again in JDK 1.8 with SSL debug mode turned on:

herong> java -Djavax.net.debug=ssl:record HttpsHello.java

Server started:
Server socket class:
   class com.sun.net.ssl.internal.ssl.SSLServerSocketImpl
   Socket address = 0.0.0.0/0.0.0.0
   Socket port = 8888
   Need client authentication = false
   Want client authentication = false
   Use client mode = false

Then run IE 10 with https://localhost:8888, the browser will try to make a connection and come back with an error message: "This page can't be displayed".

But on the HttpsHello.java execution window, you will this exception:

java.net.SocketException: Connection closed by remote host
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(U...
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unkn...
  at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(Unknown S...
  at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(Unkn...
  at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(Unknown So...
  at sun.nio.cs.StreamEncoder.flush(Unknown Source)
  at java.io.OutputStreamWriter.flush(Unknown Source)
  at java.io.BufferedWriter.flush(Unknown Source)
  at HttpsHello.main(HttpsHello.java:40)

So why my HttpsHello.java is getting this "Connection closed by remote host" exception? The code logic in HttpsHello seems to be correct. According to the output message, the accept() is returning a good SSLSocket. The code reads the first line from the HTTP request, then writes back a HTTP response. This is exactly how we would code for non-SSL HTTP communication.

After testing HttpsHello.java with a network debugger for a number of times, I finally found why HttpsHello.java is not working with IE. The trouble is caused by the self-signed certificate.

When IE reaches a HTTPS server and gets a certificate that failed to pass the validation rules (because the certificate is signed by any trusted CA), it will abandon the connection, and display a security alert to the user. If the user wants to ignore the validation error and continue with the HTTP request, IE will make another connection to the server.

As you can see, HttpsHello.java is not designed to handle this abandoned connection. HttpsHello.java is not aware the fact that the client has already closed the connection, and still tries to write the HTTP response back to the connection. Of course, it will get an exception.

To help IE to avoid the certificate validation issue, we can import my_home.crt into IE as a trusted certificate.

Test 2 - Run IE and click "Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities".

Click the "Import" button, and import my_home.crt as a trusted certificate.

Now run HttpsHello.java again.

herong> java -Djavax.net.debug=ssl:record HttpsHello

Then run IE 10 with https://localhost:8888, the browser will try to make a connection and come back with a different error message: "There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address."

We are making progress. But IE is still not 100% happy about the certificate, because the subject of the certificate is "Herong Yang" which does not match the host name "localhost". Apparently, IE validates certificate with 3 major rules:

The certificate is issued by a trusted authority.
The certificate is not expired.
The certificate owner name matches the HTTPS server name.

To make IE happy, I repeated the test with another self-signed certificate for "localhost",

Test 3 - Generated a self-signed certificate for "localhost":

herong> keytool -genkeypair -alias my_host -keystore herong.jks

Enter keystore password:  HerongJKS
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  My Unit
What is the name of your organization?
  [Unknown]:  My Home
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is <CN=localhost, OU=My Unit, O=My Home, L=My City, ST=My State,
   C=US> correct?
  [no]:  yes
Enter key password for <my_host>
        (RETURN if same as keystore password):  My1stKey

herong> keytool -exportcert -alias my_host -file my_host.crt
   -keystore herong.jks -storepass HerongJKS

Import my_host.crt into IE as a trusted certificate.

Now run HttpsHello.java again.

herong> java -Djavax.net.debug=ssl:record HttpsHello

Then run IE with https://localhost:8888, the browser will try to make a connection and come back with "Hello world!" this time.

Very nice. Our HttpsHello.java works like a HTTPS server on IE 10 now.

To keep IE clean after finishing tests, we should remove "Herong Yang" and "localhost" certificates. Run IE, and go to "Tools", "Internet Options", "Content", "Certificates", and "Trusted Root Certificate Authorities". You should be able to find them and remove them.