HTTPS (http over SSL) Support

Even though support for https has been one of the most requested features, it has still not been added in yet. This is mainly due to the lack of a suitable SSL implementation (where suitable means freely available under some sort of opensource license, pure Java, and without export restrictions). However, a number of patches for various commercial and partially free SSL packages have been provided by various people (who all deserve a big thank you). Following is the list of patches available. All patches include the modified HTTPConnection.java the resulting class files, and a README. Note that the patches are not included in the HTTPClient distributions themselves because of export/import regulations in various countries. However, they are all available from the HTTPClient home site, which resides in Switzerland and therefore has no export problems.

If you have not settled on an SSL implementation yet and are choosing between one of those listed below, then I recommend SSL-J or iSaSiLk because they have the necessary constructor or other hook so that the HTTPClient will work through proxies; the others do not provide the necessary constructors or hooks and therefore when using these the HTTPClient will not work through proxies for https connections. Note that I have no connection whatsoever with these companies - I just happen to have received info and patches for these packages from folks who had used them to add https support to the HTTPClient.

SSL-J (from RSA)

SSL-J is commercial; the patched HTTPClient is capable of doing https through proxies. Thanks to Jon Lennard for the patch.

Download patches

SSLava (from Phaos)

SSLava is commercial; the patched HTTPClient is not capable of doing https through proxies. Thanks to Josh Bers for the patch.

Download patches

iSaSiLk (from IAIK)

iSaSiLk is commercial; the patched HTTPClient is partially capable of doing https through proxies (http proxies are ok, SOCKS proxies aren't handled). Thanks to Scott Murray for the info from which this patch was created.

Note: Entrust is distributing a security toolkit which is free for some uses. This package includes the above IAIK SSL implementation, and hence the patches here can be used with Entrust's toolkit.

Download patches

NJSS (from Netscape)

NJSS is commercial; the patched HTTPClient is not capable of doing https through proxies. Thanks to J. Scott Evans for the patch.

Download patches

javax.net.ssl (from Sun)

Sun's implementation of this interface delivered with HotJava 1.1.5 is free (at the time of this writing there is no SSL-enabled version of HotJava 3.0); others seem to be commercial; the patched HTTPClient is not capable of doing https through proxies.

Download patches

Other SSL packages

Here are some SSL packages which I know of, but for which I do not any patches:

Using Other SSL Implementations

If you have an SSL implementation which is not listed above and which you'd like to use, then must make the following modifications to HTTPConnection.java:

Note that you'll need an SSL implementation with a constructor which takes an already established socket (this is because the HTTPClient needs to create the raw connection itself, possibly going through SOCKS or http proxies, and only then can the SSL handshake be invoked). As an alternative, a startHandshake() or equivalent method will also do - see the IAIK implementation. If the SSL package provides neither option then the client will not work through proxies.

[HTTPClient]


Ronald Tschalär / 18. June 1999 / ronald@innovation.ch.