Hi I am trying out a simple java http server NanoHTTPD: http://elonen.iki.fi/code/nanohttpd/
Today I try to support it with HTTPS, so I create SSLServerSocket in its NanoHTTPD constructor:
// myServerSocket = new ServerSocket(myTcpPort);
myServerSocket = SSLServerSocketFactory.getDefault().createServerSocket(myTcpPort);
and also supplied javax.net.ssl.keyStore with 2048 bit RSA key
The result is that https connections succeed on MSIE6.0, MSIE8.0, Firefox 9.0.1 However fail on Google Chrome 17.0.963.56 m and Firefox 10.0.1:
from debugging, NanoHTTPD.HTTPSession.decodeHeader method gets only String inLine = "G" barely one single char, while normally here you will expect the standard http header "GET / HTTP/1.1".
So anybody familiar with Firefox could tell what's different in 9.0.1 and 10.0.1 regarding https / ssl? Something made by browsers may be the point. (Of course I am newbie in java ssl programming, please tell me if I am wrong in SSLServerSocket).
I have cross posted this issue: https://support.mozilla.org/en-US/questions/920116
Thank you all.
The short of it is that your SSL implementation is broken. SSL records can be split in arbitrary ways, and Google and Mozilla changed the way they split theirs to work around some MITM attacks on SSL. Specifically, a 1-byte SSL record is sent before sendinga second SSL record with the rest of the data. It sounds like your SSL implementation is only reading the first record instead of reading all the data.
See http://rt.openssl.org/Ticket/Display.html?id=2635&user=guest&pass=guest and https://bugzilla.mozilla.org/show_bug.cgi?id=665814 and articles like http://www.livehacking.com/2011/10/27/chrome-15-broke-the-wall-street-journal-while-trying-to-beat-the-beast/