[rfc][icedtea-web] https proobing

Jiri Vanek jvanek at redhat.com
Thu Aug 7 17:25:31 UTC 2014 

Hi!

this patch *should* solve most of the issues ITW have with various broken or old https servers. 
Should, because I have no page where to reproduce. My only tracker is 
https://bugzilla.redhat.com/show_bug.cgi?id=1089130 and small attached program which I wrote used to 
tests various requests to known broken https server (to get files).

The patch do following:

Wrap all url.openconnections and connection.dieconet by wrapper.

This wrapper do following:
if connection is not not https, it acts as before (except only synchronized disconnect)
if it is https, it locks other (https) connections and  tryes server:
  -  if it is not using old handsake or invalid certificate
  - save those settings
  - all other https connections then uses those settings (unless overwritten)
  - except https openconnection and all disconnect connection  all connectins are parallel  as we 
were used to (unless overwritten)
  - the probing connection is reused (if successful)


The default schema is not working in (rare) cases when resources are in differently "broken" https 
servers. To control this flaws there are 4 properties, which deserves 4 checkboxes in itw-setting 
(another patch onc ethis is agreed)

+    public static final String KEY_HTTPS_PROBINGALOWED = "deployment.security.https.proobingalowed";


By default true, probing is allowed.  If set to false, then itw will behave as before, except 
synchronized disconnect

+    public static final String KEY_HTTPS_SYNCFORCED = "deployment.security.https.syncforced";

by default false. Once true this will disable our excelent paralelism for https downloads. Have 
sense only with  probe always

+    public static final String KEY_HTTPS_PROBEALWAYS = "deployment.security.https.probealways";

when this is true,  each connection will do its own probing. So each can have different https 
settings. Have sense moreover onl with syncforced, otherwise exisitng conections will overwite each 
other and fail.

+    public static final String KEY_HTTPS_ALOWUNSECURE = "deployment.security.https.allowunsecure";

This is actually creating security hole. SO by default false. Once in itw-settings, it will need 
strong warning for user. It disables certificate verification.



hmm..During writing of this email I have realized that I can use same synchronized trick as for open 
connection (synchronize once https is recognized, but let http be). The patch is updated. But I have 
not tested. I guess I will test it during next iteration. This is justnote for reviwer that if you 
will encounter any flaw in above description, this is probably cause. And so above "synchronize 
ddisconnect" is now valod only for https.


J.

ps: this patch is unbackportable :(
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OnOffSSLv2UntrustedCerts.java
Type: text/x-java
Size: 5635 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140807/8eaaa850/OnOffSSLv2UntrustedCerts-0001.java>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpsSolution_01.patch
Type: text/x-patch
Size: 37492 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140807/8eaaa850/httpsSolution_01-0001.patch>

More information about the distro-pkg-dev mailing list