users@glassfish.java.net

Re: SSL session caching

From: Cyril DANGERVILLE <cyril.dangerville_at_gmail.com>
Date: Sun, 30 May 2010 17:18:50 +0200

Hello,
the https listener config in my domain.xml:

<http-listener acceptor-threads="4" address="172.17.5.213"
blocking-enabled="false" default-virtual-server="server"
enabled="true" family="inet" id="http-listener-2" port="8181"
security-enabled="true" server-name="" xpowered-by="true">
          <ssl cert-nickname="s1as" client-auth-enabled="false"
ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
tls-rollback-enabled="true"/>
        </http-listener>

and the java-config:

<java-config classpath-suffix="" debug-enabled="false"
debug-options="-Xdebug
-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
-keepgenerated -g" system-classpath="">
        <!-- various required jvm-options -->
        <jvm-options>-XX:MaxPermSize=192m</jvm-options>
        <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
        <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
        <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
        <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
        <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
        <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
        <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
        <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
        <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
        <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
        <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
        <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
        <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
        <jvm-options>-XX:NewRatio=2</jvm-options>
        <!--
        Use the following jvm-options element to disable the quick startup:
        com.sun.enterprise.server.ss.ASQuickStartup=false
      -->
        <jvm-options>-Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options>
        <jvm-options>-XX:+UseParallelGC</jvm-options>
        <jvm-options>-XX:+UseParallelOldGC</jvm-options>
        <jvm-options>-XX:LargePageSizeInBytes=2m</jvm-options>
        <jvm-options>-XX:ParallelGCThreads=${JVM_PARALLEL_GC_THREADS}</jvm-options>
        <jvm-options>-Xmn1200m</jvm-options>
        <jvm-options>-Xms2500m</jvm-options>
        <jvm-options>-Xmx2500m</jvm-options>
        <jvm-options>-server</jvm-options>
      </java-config>

Hope it helps.

Thanks.
Cyril

On Sun, May 30, 2010 at 2:10 AM, Martin Gainty <mgainty_at_hotmail.com> wrote:
> What does your SSL connection look like in domain.xml?..here is mine for
> reference
>
>         <http-listener acceptor-threads="1" address="0.0.0.0"
> blocking-enabled="false" default-virtual-server="server" enabled="true"
> family="inet" id="http-listener-2" port="9181" security-enabled="true"
> server-name="" xpowered-by="true">
>           <ssl cert-nickname="s1as" client-auth-enabled="false"
> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
> tls-rollback-enabled="true"/>
>         </http-listener>
>
> you will also need to configure javax.net.ssl.keyStore and
> javax.net.ssl.trustStore parameters as seen here
>       <java-config classpath-suffix="" debug-enabled="false"
> debug-options="-Xdebug
> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate -keepgenerated
> -g" system-classpath="">
>         <!-- various required jvm-options -->
>         <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>         <jvm-options>-client</jvm-options>
>
> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>
> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>
> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>         <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>         <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>         <jvm-options>-Xmx512m</jvm-options>
>
> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>
> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>
> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>
> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>
> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>
> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>
> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>
> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>         <jvm-options>-XX:NewRatio=2</jvm-options>
>         <!--
>         Use the following jvm-options element to disable the quick startup:
>  com.sun.enterprise.server.ss.ASQuickStartup=false
>       -->
>
> Martin Gainty
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
> de ceci est interdite. Ce message sert à l'information seulement et n'aura
> pas n'importe quel effet légalement obligatoire. Étant donné que les email
> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
> aucune responsabilité pour le contenu fourni.
>
>
>
>
>> Date: Sun, 30 May 2010 01:23:42 +0200
>> From: cyril.dangerville_at_gmail.com
>> To: users_at_glassfish.dev.java.net
>> Subject: SSL session caching
>>
>> Hello,
>> I can't figure out how to make the Glassfish v2.1 server cache SSL
>> sessions. SSL client authentication is disabled on the server. I am
>> testing with the openssl s_client like this:
>>
>> $ openssl s_client -connect 172.17.5.213:8181 -reconnect > ssl.log
>>
>> ssl.log (excerpt):
>>
>> CONNECTED(00000003)
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
>> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
>> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
>> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
>> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
>> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
>> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
>> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
>> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
>> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
>> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
>> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
>> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
>> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
>> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
>> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1326 bytes and written 284 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DHE-RSA-AES256-SHA
>> Session-ID:
>> 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
>> Session-ID-ctx:
>> Master-Key:
>>
>> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
>> Key-Arg : None
>> Krb5 Principal: None
>> Start Time: 1275174644
>> Timeout : 300 (sec)
>> Verify return code: 18 (self signed certificate)
>> ---
>>
>> So it is not reusing the SSL session as it should be.
>>
>> What am I missing?
>>
>> Thanks for any help.
>>
>> --Cyril
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
> ________________________________
> The New Busy is not the too busy. Combine all your e-mail accounts with
> Hotmail. Get busy.