users@glassfish.java.net

Re: SSL session caching

From: Cyril DANGERVILLE <cyril.dangerville_at_gmail.com>
Date: Tue, 1 Jun 2010 02:13:50 +0200

Hello,
Tell me if you need more information.
Btw, I noticed there was specific settings for ssl caching in
Glassfish v3 but I can't find these for v2.1. Unfortunately, I have to
use v2.1.
Any idea?

Thanks.
--Cyril

On Sun, May 30, 2010 at 5:18 PM, Cyril DANGERVILLE
<cyril.dangerville_at_gmail.com> wrote:
> Hello,
> the https listener config in my domain.xml:
>
> <http-listener acceptor-threads="4" address="172.17.5.213"
> blocking-enabled="false" default-virtual-server="server"
> enabled="true" family="inet" id="http-listener-2" port="8181"
> security-enabled="true" server-name="" xpowered-by="true">
>          <ssl cert-nickname="s1as" client-auth-enabled="false"
> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
> tls-rollback-enabled="true"/>
>        </http-listener>
>
> and the java-config:
>
> <java-config classpath-suffix="" debug-enabled="false"
> debug-options="-Xdebug
> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
> -keepgenerated -g" system-classpath="">
>        <!-- various required jvm-options -->
>        <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>        <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>        <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>        <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>        <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>        <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>        <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>        <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>        <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>        <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>        <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>        <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>        <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>        <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>        <jvm-options>-XX:NewRatio=2</jvm-options>
>        <!--
>        Use the following jvm-options element to disable the quick startup:
>        com.sun.enterprise.server.ss.ASQuickStartup=false
>      -->
>        <jvm-options>-Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options>
>        <jvm-options>-XX:+UseParallelGC</jvm-options>
>        <jvm-options>-XX:+UseParallelOldGC</jvm-options>
>        <jvm-options>-XX:LargePageSizeInBytes=2m</jvm-options>
>        <jvm-options>-XX:ParallelGCThreads=${JVM_PARALLEL_GC_THREADS}</jvm-options>
>        <jvm-options>-Xmn1200m</jvm-options>
>        <jvm-options>-Xms2500m</jvm-options>
>        <jvm-options>-Xmx2500m</jvm-options>
>        <jvm-options>-server</jvm-options>
>      </java-config>
>
> Hope it helps.
>
> Thanks.
> Cyril
>
> On Sun, May 30, 2010 at 2:10 AM, Martin Gainty <mgainty_at_hotmail.com> wrote:
>> What does your SSL connection look like in domain.xml?..here is mine for
>> reference
>>
>>         <http-listener acceptor-threads="1" address="0.0.0.0"
>> blocking-enabled="false" default-virtual-server="server" enabled="true"
>> family="inet" id="http-listener-2" port="9181" security-enabled="true"
>> server-name="" xpowered-by="true">
>>           <ssl cert-nickname="s1as" client-auth-enabled="false"
>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>> tls-rollback-enabled="true"/>
>>         </http-listener>
>>
>> you will also need to configure javax.net.ssl.keyStore and
>> javax.net.ssl.trustStore parameters as seen here
>>       <java-config classpath-suffix="" debug-enabled="false"
>> debug-options="-Xdebug
>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate -keepgenerated
>> -g" system-classpath="">
>>         <!-- various required jvm-options -->
>>         <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>         <jvm-options>-client</jvm-options>
>>
>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>
>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>
>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>         <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>         <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>         <jvm-options>-Xmx512m</jvm-options>
>>
>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>
>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>
>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>
>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>
>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>
>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>
>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>
>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>         <jvm-options>-XX:NewRatio=2</jvm-options>
>>         <!--
>>         Use the following jvm-options element to disable the quick startup:
>>  com.sun.enterprise.server.ss.ASQuickStartup=false
>>       -->
>>
>> Martin Gainty
>> ______________________________________________
>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>
>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
>> dient lediglich dem Austausch von Informationen und entfaltet keine
>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>
>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie
>> de ceci est interdite. Ce message sert à l'information seulement et n'aura
>> pas n'importe quel effet légalement obligatoire. Étant donné que les email
>> peuvent facilement être sujets à la manipulation, nous ne pouvons accepter
>> aucune responsabilité pour le contenu fourni.
>>
>>
>>
>>
>>> Date: Sun, 30 May 2010 01:23:42 +0200
>>> From: cyril.dangerville_at_gmail.com
>>> To: users_at_glassfish.dev.java.net
>>> Subject: SSL session caching
>>>
>>> Hello,
>>> I can't figure out how to make the Glassfish v2.1 server cache SSL
>>> sessions. SSL client authentication is disabled on the server. I am
>>> testing with the openssl s_client like this:
>>>
>>> $ openssl s_client -connect 172.17.5.213:8181 -reconnect > ssl.log
>>>
>>> ssl.log (excerpt):
>>>
>>> CONNECTED(00000003)
>>> ---
>>> Certificate chain
>>> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
>>> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
>>> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
>>> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
>>> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
>>> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
>>> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
>>> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
>>> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
>>> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
>>> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
>>> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
>>> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
>>> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
>>> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
>>> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
>>> -----END CERTIFICATE-----
>>> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 1326 bytes and written 284 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>> Server public key is 1024 bit
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : DHE-RSA-AES256-SHA
>>> Session-ID:
>>> 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
>>> Session-ID-ctx:
>>> Master-Key:
>>>
>>> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
>>> Key-Arg : None
>>> Krb5 Principal: None
>>> Start Time: 1275174644
>>> Timeout : 300 (sec)
>>> Verify return code: 18 (self signed certificate)
>>> ---
>>>
>>> So it is not reusing the SSL session as it should be.
>>>
>>> What am I missing?
>>>
>>> Thanks for any help.
>>>
>>> --Cyril
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>
>> ________________________________
>> The New Busy is not the too busy. Combine all your e-mail accounts with
>> Hotmail. Get busy.
>