Bug 56458

Summary: session.isSecure() returning false when using SSL/TLS
Product: Tomcat 8 Reporter: burr.clover
Component: WebSocketAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 8.0.5   
Target Milestone: ----   
Hardware: Macintosh   
OS: All   

Description burr.clover 2014-04-25 12:37:31 UTC
I have a client Websocket endpoint in Tomcat and I'm trying to secure the Websocket communication. I have my keystore, truststore and password configurations done. I'm pretty sure that the underlying connection is secure because:

1) On the machine running Tomcat, I have enabled SSL debugging with System.setProperty("javax.net.debug", "ssl") and i can see the handshake happening.

2) I have set the server Websocket endpoint (in Jetty) to accept upgrade requests only if the connection is secure. And the request is accepted.

But the method session.isSecure() is always returning false.

While looking at the org.apache.tomcat.websocket.WsWebSocketContainer in the method connectToServer(Endpoint endpoint, ClientEndpointConfig clientEndpointConfiguration, URI path) I have seen that at line 362 a new WsSession is created with the boolean value "false" instead of the private variable "secure". I guess therein lies the problem.
Comment 1 Mark Thomas 2014-04-25 15:40:21 UTC
Thanks for the report and the analysis. Your analysis is spot on. I have fixed this in 8.0.x for 8.0.6 onwards and in 7.0.x for 7.0.54 onwards.