users@glassfish.java.net

Re: SSL session caching

From: Shing Wai Chan <shing.wai.chan_at_oracle.com>
Date: Fri, 04 Jun 2010 10:21:49 -0700

The ssl-cache-entries is also supported in GlassFish v2.
It corresponds to
javax.net.ssl.SSLSessionContext.setSessionCacheSize(int size).

The client side SSL session caching is a browser feature.

Shing Wai Chan


On 6/3/10 2:20 PM, Cyril DANGERVILLE wrote:
> Hello,
> is my answer helping you in any way?
> Am I right to consider that ssl session caching (allowing clients to
> resume sessions without handshake) is not supported in Glassfish v2.1?
>
> On Tue, Jun 1, 2010 at 6:05 PM, Cyril DANGERVILLE
> <cyril.dangerville_at_gmail.com> wrote:
>
>> Hi,
>> I am refering to the attribute ssl-cache-entries of element
>> http-service, as described in Sun Glassfish Enterprise Server v3
>> Domain File Format Reference (p. 71).
>>
>> regards
>> --Cyril
>>
>> On Tue, Jun 1, 2010 at 11:21 AM, Oleksiy Stashok
>> <Oleksiy.Stashok_at_sun.com> wrote:
>>
>>> Hi Cyril,
>>>
>>> which setting in Glassfish v3 you mean?
>>>
>>> Alexey.
>>>
>>> On Jun 1, 2010, at 2:13 , Cyril DANGERVILLE wrote:
>>>
>>>
>>>> Hello,
>>>> Tell me if you need more information.
>>>> Btw, I noticed there was specific settings for ssl caching in
>>>> Glassfish v3 but I can't find these for v2.1. Unfortunately, I have to
>>>> use v2.1.
>>>> Any idea?
>>>>
>>>> Thanks.
>>>> --Cyril
>>>>
>>>> On Sun, May 30, 2010 at 5:18 PM, Cyril DANGERVILLE
>>>> <cyril.dangerville_at_gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>> the https listener config in my domain.xml:
>>>>>
>>>>> <http-listener acceptor-threads="4" address="172.17.5.213"
>>>>> blocking-enabled="false" default-virtual-server="server"
>>>>> enabled="true" family="inet" id="http-listener-2" port="8181"
>>>>> security-enabled="true" server-name="" xpowered-by="true">
>>>>> <ssl cert-nickname="s1as" client-auth-enabled="false"
>>>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>>>> tls-rollback-enabled="true"/>
>>>>> </http-listener>
>>>>>
>>>>> and the java-config:
>>>>>
>>>>> <java-config classpath-suffix="" debug-enabled="false"
>>>>> debug-options="-Xdebug
>>>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>>>>> -keepgenerated -g" system-classpath="">
>>>>> <!-- various required jvm-options -->
>>>>> <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>>>>
>>>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>>>>
>>>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>>>>
>>>>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>>>> <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>>>> <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>>>>
>>>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>>>>
>>>>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>>>
>>>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>>>
>>>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>>>>
>>>>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>>>> <jvm-options>-XX:NewRatio=2</jvm-options>
>>>>> <!--
>>>>> Use the following jvm-options element to disable the quick startup:
>>>>> com.sun.enterprise.server.ss.ASQuickStartup=false
>>>>> -->
>>>>>
>>>>> <jvm-options>-Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options>
>>>>> <jvm-options>-XX:+UseParallelGC</jvm-options>
>>>>> <jvm-options>-XX:+UseParallelOldGC</jvm-options>
>>>>> <jvm-options>-XX:LargePageSizeInBytes=2m</jvm-options>
>>>>>
>>>>> <jvm-options>-XX:ParallelGCThreads=${JVM_PARALLEL_GC_THREADS}</jvm-options>
>>>>> <jvm-options>-Xmn1200m</jvm-options>
>>>>> <jvm-options>-Xms2500m</jvm-options>
>>>>> <jvm-options>-Xmx2500m</jvm-options>
>>>>> <jvm-options>-server</jvm-options>
>>>>> </java-config>
>>>>>
>>>>> Hope it helps.
>>>>>
>>>>> Thanks.
>>>>> Cyril
>>>>>
>>>>> On Sun, May 30, 2010 at 2:10 AM, Martin Gainty<mgainty_at_hotmail.com>
>>>>> wrote:
>>>>>
>>>>>> What does your SSL connection look like in domain.xml?..here is mine for
>>>>>> reference
>>>>>>
>>>>>> <http-listener acceptor-threads="1" address="0.0.0.0"
>>>>>> blocking-enabled="false" default-virtual-server="server" enabled="true"
>>>>>> family="inet" id="http-listener-2" port="9181" security-enabled="true"
>>>>>> server-name="" xpowered-by="true">
>>>>>> <ssl cert-nickname="s1as" client-auth-enabled="false"
>>>>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>>>>> tls-rollback-enabled="true"/>
>>>>>> </http-listener>
>>>>>>
>>>>>> you will also need to configure javax.net.ssl.keyStore and
>>>>>> javax.net.ssl.trustStore parameters as seen here
>>>>>> <java-config classpath-suffix="" debug-enabled="false"
>>>>>> debug-options="-Xdebug
>>>>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>>>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>>>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>>>>>> -keepgenerated
>>>>>> -g" system-classpath="">
>>>>>> <!-- various required jvm-options -->
>>>>>> <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>>>>> <jvm-options>-client</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>>>>>
>>>>>> <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>>>>>
>>>>>> <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>>>>> <jvm-options>-Xmx512m</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>>>>>
>>>>>>
>>>>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>>>>> <jvm-options>-XX:NewRatio=2</jvm-options>
>>>>>> <!--
>>>>>> Use the following jvm-options element to disable the quick
>>>>>> startup:
>>>>>> com.sun.enterprise.server.ss.ASQuickStartup=false
>>>>>> -->
>>>>>>
>>>>>> Martin Gainty
>>>>>> ______________________________________________
>>>>>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>>>>>
>>>>>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>>>>>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede
>>>>>> unbefugte
>>>>>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese
>>>>>> Nachricht
>>>>>> dient lediglich dem Austausch von Informationen und entfaltet keine
>>>>>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>>>>>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>>>>>
>>>>>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas
>>>>>> le
>>>>>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>>>>>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la
>>>>>> copie
>>>>>> de ceci est interdite. Ce message sert à l'information seulement et
>>>>>> n'aura
>>>>>> pas n'importe quel effet légalement obligatoire. Étant donné que les
>>>>>> email
>>>>>> peuvent facilement être sujets à la manipulation, nous ne pouvons
>>>>>> accepter
>>>>>> aucune responsabilité pour le contenu fourni.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Date: Sun, 30 May 2010 01:23:42 +0200
>>>>>>> From: cyril.dangerville_at_gmail.com
>>>>>>> To: users_at_glassfish.dev.java.net
>>>>>>> Subject: SSL session caching
>>>>>>>
>>>>>>> Hello,
>>>>>>> I can't figure out how to make the Glassfish v2.1 server cache SSL
>>>>>>> sessions. SSL client authentication is disabled on the server. I am
>>>>>>> testing with the openssl s_client like this:
>>>>>>>
>>>>>>> $ openssl s_client -connect 172.17.5.213:8181 -reconnect> ssl.log
>>>>>>>
>>>>>>> ssl.log (excerpt):
>>>>>>>
>>>>>>> CONNECTED(00000003)
>>>>>>> ---
>>>>>>> Certificate chain
>>>>>>> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>>> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>>> ---
>>>>>>> Server certificate
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
>>>>>>> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
>>>>>>> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
>>>>>>> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
>>>>>>> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
>>>>>>> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
>>>>>>> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
>>>>>>> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
>>>>>>> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
>>>>>>> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
>>>>>>> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
>>>>>>> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
>>>>>>> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
>>>>>>> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
>>>>>>> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
>>>>>>> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
>>>>>>> -----END CERTIFICATE-----
>>>>>>> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>>> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>>>> ---
>>>>>>> No client certificate CA names sent
>>>>>>> ---
>>>>>>> SSL handshake has read 1326 bytes and written 284 bytes
>>>>>>> ---
>>>>>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>>>>>> Server public key is 1024 bit
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> SSL-Session:
>>>>>>> Protocol : TLSv1
>>>>>>> Cipher : DHE-RSA-AES256-SHA
>>>>>>> Session-ID:
>>>>>>> 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
>>>>>>> Session-ID-ctx:
>>>>>>> Master-Key:
>>>>>>>
>>>>>>>
>>>>>>> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
>>>>>>> Key-Arg : None
>>>>>>> Krb5 Principal: None
>>>>>>> Start Time: 1275174644
>>>>>>> Timeout : 300 (sec)
>>>>>>> Verify return code: 18 (self signed certificate)
>>>>>>> ---
>>>>>>>
>>>>>>> So it is not reusing the SSL session as it should be.
>>>>>>>
>>>>>>> What am I missing?
>>>>>>>
>>>>>>> Thanks for any help.
>>>>>>>
>>>>>>> --Cyril
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>>>
>>>>>>>
>>>>>> ________________________________
>>>>>> The New Busy is not the too busy. Combine all your e-mail accounts with
>>>>>> Hotmail. Get busy.
>>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>