users@glassfish.java.net

Re: SSL session caching

From: Cyril DANGERVILLE <cyril.dangerville_at_gmail.com>
Date: Thu, 3 Jun 2010 23:20:39 +0200

Hello,
is my answer helping you in any way?
Am I right to consider that ssl session caching (allowing clients to
resume sessions without handshake) is not supported in Glassfish v2.1?

On Tue, Jun 1, 2010 at 6:05 PM, Cyril DANGERVILLE
<cyril.dangerville_at_gmail.com> wrote:
> Hi,
> I am refering to the attribute ssl-cache-entries of element
> http-service, as described in Sun Glassfish Enterprise Server v3
> Domain File Format Reference (p. 71).
>
> regards
> --Cyril
>
> On Tue, Jun 1, 2010 at 11:21 AM, Oleksiy Stashok
> <Oleksiy.Stashok_at_sun.com> wrote:
>> Hi Cyril,
>>
>> which setting in Glassfish v3 you mean?
>>
>> Alexey.
>>
>> On Jun 1, 2010, at 2:13 , Cyril DANGERVILLE wrote:
>>
>>> Hello,
>>> Tell me if you need more information.
>>> Btw, I noticed there was specific settings for ssl caching in
>>> Glassfish v3 but I can't find these for v2.1. Unfortunately, I have to
>>> use v2.1.
>>> Any idea?
>>>
>>> Thanks.
>>> --Cyril
>>>
>>> On Sun, May 30, 2010 at 5:18 PM, Cyril DANGERVILLE
>>> <cyril.dangerville_at_gmail.com> wrote:
>>>>
>>>> Hello,
>>>> the https listener config in my domain.xml:
>>>>
>>>> <http-listener acceptor-threads="4" address="172.17.5.213"
>>>> blocking-enabled="false" default-virtual-server="server"
>>>> enabled="true" family="inet" id="http-listener-2" port="8181"
>>>> security-enabled="true" server-name="" xpowered-by="true">
>>>>         <ssl cert-nickname="s1as" client-auth-enabled="false"
>>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>>> tls-rollback-enabled="true"/>
>>>>       </http-listener>
>>>>
>>>> and the java-config:
>>>>
>>>> <java-config classpath-suffix="" debug-enabled="false"
>>>> debug-options="-Xdebug
>>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>>>> -keepgenerated -g" system-classpath="">
>>>>       <!-- various required jvm-options -->
>>>>       <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>>>
>>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>>>
>>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>>>
>>>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>>>       <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>>>       <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>>>
>>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>>>
>>>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>>
>>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>>
>>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>>>
>>>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>>>       <jvm-options>-XX:NewRatio=2</jvm-options>
>>>>       <!--
>>>>       Use the following jvm-options element to disable the quick startup:
>>>>       com.sun.enterprise.server.ss.ASQuickStartup=false
>>>>     -->
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options>
>>>>       <jvm-options>-XX:+UseParallelGC</jvm-options>
>>>>       <jvm-options>-XX:+UseParallelOldGC</jvm-options>
>>>>       <jvm-options>-XX:LargePageSizeInBytes=2m</jvm-options>
>>>>
>>>> <jvm-options>-XX:ParallelGCThreads=${JVM_PARALLEL_GC_THREADS}</jvm-options>
>>>>       <jvm-options>-Xmn1200m</jvm-options>
>>>>       <jvm-options>-Xms2500m</jvm-options>
>>>>       <jvm-options>-Xmx2500m</jvm-options>
>>>>       <jvm-options>-server</jvm-options>
>>>>     </java-config>
>>>>
>>>> Hope it helps.
>>>>
>>>> Thanks.
>>>> Cyril
>>>>
>>>> On Sun, May 30, 2010 at 2:10 AM, Martin Gainty <mgainty_at_hotmail.com>
>>>> wrote:
>>>>>
>>>>> What does your SSL connection look like in domain.xml?..here is mine for
>>>>> reference
>>>>>
>>>>>        <http-listener acceptor-threads="1" address="0.0.0.0"
>>>>> blocking-enabled="false" default-virtual-server="server" enabled="true"
>>>>> family="inet" id="http-listener-2" port="9181" security-enabled="true"
>>>>> server-name="" xpowered-by="true">
>>>>>          <ssl cert-nickname="s1as" client-auth-enabled="false"
>>>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>>>> tls-rollback-enabled="true"/>
>>>>>        </http-listener>
>>>>>
>>>>> you will also need to configure javax.net.ssl.keyStore and
>>>>> javax.net.ssl.trustStore parameters as seen here
>>>>>      <java-config classpath-suffix="" debug-enabled="false"
>>>>> debug-options="-Xdebug
>>>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>>>>> -keepgenerated
>>>>> -g" system-classpath="">
>>>>>        <!-- various required jvm-options -->
>>>>>        <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>>>>        <jvm-options>-client</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>>>>
>>>>>  <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>>>>
>>>>>  <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>>>>        <jvm-options>-Xmx512m</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>>>>
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>>>>        <jvm-options>-XX:NewRatio=2</jvm-options>
>>>>>        <!--
>>>>>        Use the following jvm-options element to disable the quick
>>>>> startup:
>>>>>  com.sun.enterprise.server.ss.ASQuickStartup=false
>>>>>      -->
>>>>>
>>>>> Martin Gainty
>>>>> ______________________________________________
>>>>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>>>>
>>>>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>>>>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede
>>>>> unbefugte
>>>>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese
>>>>> Nachricht
>>>>> dient lediglich dem Austausch von Informationen und entfaltet keine
>>>>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>>>>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>>>>
>>>>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas
>>>>> le
>>>>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>>>>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la
>>>>> copie
>>>>> de ceci est interdite. Ce message sert à l'information seulement et
>>>>> n'aura
>>>>> pas n'importe quel effet légalement obligatoire. Étant donné que les
>>>>> email
>>>>> peuvent facilement être sujets à la manipulation, nous ne pouvons
>>>>> accepter
>>>>> aucune responsabilité pour le contenu fourni.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Date: Sun, 30 May 2010 01:23:42 +0200
>>>>>> From: cyril.dangerville_at_gmail.com
>>>>>> To: users_at_glassfish.dev.java.net
>>>>>> Subject: SSL session caching
>>>>>>
>>>>>> Hello,
>>>>>> I can't figure out how to make the Glassfish v2.1 server cache SSL
>>>>>> sessions. SSL client authentication is disabled on the server. I am
>>>>>> testing with the openssl s_client like this:
>>>>>>
>>>>>> $ openssl s_client -connect 172.17.5.213:8181 -reconnect > ssl.log
>>>>>>
>>>>>> ssl.log (excerpt):
>>>>>>
>>>>>> CONNECTED(00000003)
>>>>>> ---
>>>>>> Certificate chain
>>>>>> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>> ---
>>>>>> Server certificate
>>>>>> -----BEGIN CERTIFICATE-----
>>>>>> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
>>>>>> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
>>>>>> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
>>>>>> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
>>>>>> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
>>>>>> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
>>>>>> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
>>>>>> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
>>>>>> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
>>>>>> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
>>>>>> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
>>>>>> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
>>>>>> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
>>>>>> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
>>>>>> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
>>>>>> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
>>>>>> -----END CERTIFICATE-----
>>>>>> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>> ---
>>>>>> No client certificate CA names sent
>>>>>> ---
>>>>>> SSL handshake has read 1326 bytes and written 284 bytes
>>>>>> ---
>>>>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>>>>> Server public key is 1024 bit
>>>>>> Compression: NONE
>>>>>> Expansion: NONE
>>>>>> SSL-Session:
>>>>>> Protocol : TLSv1
>>>>>> Cipher : DHE-RSA-AES256-SHA
>>>>>> Session-ID:
>>>>>> 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
>>>>>> Session-ID-ctx:
>>>>>> Master-Key:
>>>>>>
>>>>>>
>>>>>> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
>>>>>> Key-Arg : None
>>>>>> Krb5 Principal: None
>>>>>> Start Time: 1275174644
>>>>>> Timeout : 300 (sec)
>>>>>> Verify return code: 18 (self signed certificate)
>>>>>> ---
>>>>>>
>>>>>> So it is not reusing the SSL session as it should be.
>>>>>>
>>>>>> What am I missing?
>>>>>>
>>>>>> Thanks for any help.
>>>>>>
>>>>>> --Cyril
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>>
>>>>>
>>>>> ________________________________
>>>>> The New Busy is not the too busy. Combine all your e-mail accounts with
>>>>> Hotmail. Get busy.
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>