HTTPS (HTTP over SSL) Support

Even though support for https has been one of the most requested features, it has still not been added in yet. This is mainly due to the lack of a suitable SSL implementation (where suitable means freely available under some sort of opensource license, pure Java, and without export restrictions). However, a number of patches for various commercial and partially free SSL packages have been provided by various people (who all deserve a big thank you). Below is the list of patches available. Note: I suggest you check the copy of this page on the HTTPClient web site, as that will be more up-to-date.

All patches include the modified HTTPConnection.java, the resulting class files, and a README. Note that the patches are not included in the HTTPClient distributions themselves because of export/import regulations in various countries. However, they are all available from the HTTPClient home site, which resides in Switzerland and therefore has no export problems.

If you have not settled on an SSL implementation yet and are choosing between one of those listed below, then I recommend JSSE, SSL-J, iSaSiLk, or SSLava, because they have the necessary constructor or other hook so that the HTTPClient will work through proxies; the others do not provide the necessary constructors or hooks and therefore when using these the HTTPClient will not work through proxies for https connections. Note that I have no connection whatsoever with these companies - I just happen to have received info and patches for these packages from folks who had used them to add https support to the HTTPClient.

https Examples

Once you've patched the HTTPClient and added the ssl libraries to your classpath, creating an https connection is simple:

    HTTPConnection con = new HTTPConnection("https", "www.myaddr.net", -1);
    ...

You can also use URL's, but you need to define the property java.protocol.handler.pkgs=HTTPClient so that creating the URL won't throw a MalformedURLException:

    System.getProperties().put("java.protocol.handler.pkgs", "HTTPClient");
    URL url = new URL("https://www.myaddr.net/the/stuff");
    HTTPConnection con = new HTTPConnection(url);
    ...

Alternatively, use the URI class from the HTTPClient:

    URI url = new URI("https://www.myaddr.net/the/stuff");
    HTTPConnection con = new HTTPConnection(url.getScheme(), url.getHost(), url.getPort());
    ...

SSL Implementations and Patches

SSL-J (from RSA)

SSL-J is commercial; the patched HTTPClient is capable of doing https through proxies. Thanks to Jon Lennard and Chaitanya Laxminarayan for the patches.

Patches for SSL-J version 3.0 (or later)
Patches for SSL-J versions prior to 3.0

SSLava (from Phaos)

SSLava is commercial; the patched HTTPClient is capable of doing https through proxies. Thanks to Josh Bers for the patch.

Download patches

Note: the patch above has been updated to work against what seems to be the current SSLava version. If you have an older version of SSLava and are having problems with the patch, then try downloading the older patches

iSaSiLk (from IAIK)

iSaSiLk is commercial; the patched HTTPClient is partially capable of doing https through proxies (http proxies are ok, SOCKS proxies aren't handled). Thanks to Scott Murray for the info from which this patch was created.

Note: Entrust is distributing a security toolkit which is free for some uses. This package includes the above IAIK SSL implementation, and hence the patches here can be used with Entrust's toolkit.

Download patches

NJSS (from Netscape)

NJSS is commercial; the patched HTTPClient is not capable of doing https through proxies. Thanks to J. Scott Evans for the patch.

Download patches

JSSE (from Sun)

This is a pure java implementation of the latest javax.net.ssl spec. DSTC also provides an implementation of this interface, which is free for non-commercial use. The patched HTTPClient is capable of doing https through proxies.

Download patches

Old javax.net.ssl (from Sun)

Sun's implementation of this interface delivered with HotJava 1.1.5 is free (at the time of this writing there is no SSL-enabled version of HotJava 3.0); others seem to be commercial; the patched HTTPClient is not capable of doing https through proxies.

Download patches

OpenSSL

A few people have written Java wrappers around OpenSSL and have provided patches for the HTTPClient. Here are the ones I'm aware of:

Matt Warner's wrapper info (patches for the HTTPClient are at the end of the page). This is currently mainly Mac OS X based, but should be portable to any Unix.
Martin Büchler's wrapper for Win32 (with a patched HTTPConnection.java).

Note that neither of these support SSL through proxies.

Other SSL packages

Here are some SSL packages which I know of, but for which I do not have any patches:

Using Other SSL Implementations

If you have an SSL implementation which is not listed above and which you'd like to use, then must make the following modifications to HTTPConnection.java:

Uncomment (and suitably modify) the line
```
	sock = new SSLSocket(sock); 
```

Chang the line

	if (!prot.equals("http"))

to read

	if (!prot.equals("http")  &&  !prot.equals("https"))

Note that you'll need an SSL implementation with a constructor which takes an already established socket (this is because the HTTPClient needs to create the raw connection itself, possibly going through SOCKS or http proxies, and only then can the SSL handshake be invoked). As an alternative, a startHandshake() or equivalent method will also do - see the IAIK implementation. If the SSL package provides neither option then the client will not work through proxies.

Ronald Tschalär / 6. May 2001 / ronald@innovation.ch.