users@glassfish.java.net

RE: SSL session caching

From: Martin Gainty <mgainty_at_hotmail.com>
Date: Sat, 29 May 2010 20:10:48 -0400

What does your SSL connection look like in domain.xml?..here is mine for reference

 

        <http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id="http-listener-2" port="9181" security-enabled="true" server-name="" xpowered-by="true">
          <ssl cert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
        </http-listener>


you will also need to configure javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters as seen here

      <java-config classpath-suffix="" debug-enabled="false" debug-options="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009" env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}" javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate -keepgenerated -g" system-classpath="">
        <!-- various required jvm-options -->
        <jvm-options>-XX:MaxPermSize=192m</jvm-options>
        <jvm-options>-client</jvm-options>
        <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
        <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
        <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
        <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
        <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
        <jvm-options>-Xmx512m</jvm-options>
        <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
        <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
        <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
        <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
        <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
        <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
        <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
        <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
        <jvm-options>-XX:NewRatio=2</jvm-options>
        <!--
        Use the following jvm-options element to disable the quick startup:
 com.sun.enterprise.server.ss.ASQuickStartup=false
      -->

Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.



 

> Date: Sun, 30 May 2010 01:23:42 +0200
> From: cyril.dangerville_at_gmail.com
> To: users_at_glassfish.dev.java.net
> Subject: SSL session caching
>
> Hello,
> I can't figure out how to make the Glassfish v2.1 server cache SSL
> sessions. SSL client authentication is disabled on the server. I am
> testing with the openssl s_client like this:
>
> $ openssl s_client -connect 172.17.5.213:8181 -reconnect > ssl.log
>
> ssl.log (excerpt):
>
> CONNECTED(00000003)
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1326 bytes and written 284 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
> Session-ID-ctx:
> Master-Key:
> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1275174644
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
>
> So it is not reusing the SSL session as it should be.
>
> What am I missing?
>
> Thanks for any help.
>
> --Cyril
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
                                               
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4