users@glassfish.java.net

Re: SSL session caching

From: Cyril DANGERVILLE <cyril.dangerville_at_gmail.com>
Date: Tue, 1 Jun 2010 18:05:14 +0200

Hi,
I am refering to the attribute ssl-cache-entries of element
http-service, as described in Sun Glassfish Enterprise Server v3
Domain File Format Reference (p. 71).

regards
--Cyril

On Tue, Jun 1, 2010 at 11:21 AM, Oleksiy Stashok
<Oleksiy.Stashok_at_sun.com> wrote:
> Hi Cyril,
>
> which setting in Glassfish v3 you mean?
>
> Alexey.
>
> On Jun 1, 2010, at 2:13 , Cyril DANGERVILLE wrote:
>
>> Hello,
>> Tell me if you need more information.
>> Btw, I noticed there was specific settings for ssl caching in
>> Glassfish v3 but I can't find these for v2.1. Unfortunately, I have to
>> use v2.1.
>> Any idea?
>>
>> Thanks.
>> --Cyril
>>
>> On Sun, May 30, 2010 at 5:18 PM, Cyril DANGERVILLE
>> <cyril.dangerville_at_gmail.com> wrote:
>>>
>>> Hello,
>>> the https listener config in my domain.xml:
>>>
>>> <http-listener acceptor-threads="4" address="172.17.5.213"
>>> blocking-enabled="false" default-virtual-server="server"
>>> enabled="true" family="inet" id="http-listener-2" port="8181"
>>> security-enabled="true" server-name="" xpowered-by="true">
>>>         <ssl cert-nickname="s1as" client-auth-enabled="false"
>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>> tls-rollback-enabled="true"/>
>>>       </http-listener>
>>>
>>> and the java-config:
>>>
>>> <java-config classpath-suffix="" debug-enabled="false"
>>> debug-options="-Xdebug
>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>>> -keepgenerated -g" system-classpath="">
>>>       <!-- various required jvm-options -->
>>>       <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>>
>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>>
>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>>
>>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>>       <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>>       <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>>
>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>>
>>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>
>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>
>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>>
>>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>>
>>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>>
>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>>
>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>>       <jvm-options>-XX:NewRatio=2</jvm-options>
>>>       <!--
>>>       Use the following jvm-options element to disable the quick startup:
>>>       com.sun.enterprise.server.ss.ASQuickStartup=false
>>>     -->
>>>
>>> <jvm-options>-Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options>
>>>       <jvm-options>-XX:+UseParallelGC</jvm-options>
>>>       <jvm-options>-XX:+UseParallelOldGC</jvm-options>
>>>       <jvm-options>-XX:LargePageSizeInBytes=2m</jvm-options>
>>>
>>> <jvm-options>-XX:ParallelGCThreads=${JVM_PARALLEL_GC_THREADS}</jvm-options>
>>>       <jvm-options>-Xmn1200m</jvm-options>
>>>       <jvm-options>-Xms2500m</jvm-options>
>>>       <jvm-options>-Xmx2500m</jvm-options>
>>>       <jvm-options>-server</jvm-options>
>>>     </java-config>
>>>
>>> Hope it helps.
>>>
>>> Thanks.
>>> Cyril
>>>
>>> On Sun, May 30, 2010 at 2:10 AM, Martin Gainty <mgainty_at_hotmail.com>
>>> wrote:
>>>>
>>>> What does your SSL connection look like in domain.xml?..here is mine for
>>>> reference
>>>>
>>>>        <http-listener acceptor-threads="1" address="0.0.0.0"
>>>> blocking-enabled="false" default-virtual-server="server" enabled="true"
>>>> family="inet" id="http-listener-2" port="9181" security-enabled="true"
>>>> server-name="" xpowered-by="true">
>>>>          <ssl cert-nickname="s1as" client-auth-enabled="false"
>>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>>> tls-rollback-enabled="true"/>
>>>>        </http-listener>
>>>>
>>>> you will also need to configure javax.net.ssl.keyStore and
>>>> javax.net.ssl.trustStore parameters as seen here
>>>>      <java-config classpath-suffix="" debug-enabled="false"
>>>> debug-options="-Xdebug
>>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>>>> -keepgenerated
>>>> -g" system-classpath="">
>>>>        <!-- various required jvm-options -->
>>>>        <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>>>        <jvm-options>-client</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/endorsed</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>>>
>>>>  <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-options>
>>>>
>>>>  <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-options>
>>>>        <jvm-options>-Xmx512m</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.instanceRoot}/lib/ext${path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-impl.jar</jvm-options>
>>>>
>>>>
>>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-options>
>>>>        <jvm-options>-XX:NewRatio=2</jvm-options>
>>>>        <!--
>>>>        Use the following jvm-options element to disable the quick
>>>> startup:
>>>>  com.sun.enterprise.server.ss.ASQuickStartup=false
>>>>      -->
>>>>
>>>> Martin Gainty
>>>> ______________________________________________
>>>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>>>>
>>>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>>>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede
>>>> unbefugte
>>>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese
>>>> Nachricht
>>>> dient lediglich dem Austausch von Informationen und entfaltet keine
>>>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>>>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>>>
>>>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas
>>>> le
>>>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>>>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la
>>>> copie
>>>> de ceci est interdite. Ce message sert à l'information seulement et
>>>> n'aura
>>>> pas n'importe quel effet légalement obligatoire. Étant donné que les
>>>> email
>>>> peuvent facilement être sujets à la manipulation, nous ne pouvons
>>>> accepter
>>>> aucune responsabilité pour le contenu fourni.
>>>>
>>>>
>>>>
>>>>
>>>>> Date: Sun, 30 May 2010 01:23:42 +0200
>>>>> From: cyril.dangerville_at_gmail.com
>>>>> To: users_at_glassfish.dev.java.net
>>>>> Subject: SSL session caching
>>>>>
>>>>> Hello,
>>>>> I can't figure out how to make the Glassfish v2.1 server cache SSL
>>>>> sessions. SSL client authentication is disabled on the server. I am
>>>>> testing with the openssl s_client like this:
>>>>>
>>>>> $ openssl s_client -connect 172.17.5.213:8181 -reconnect > ssl.log
>>>>>
>>>>> ssl.log (excerpt):
>>>>>
>>>>> CONNECTED(00000003)
>>>>> ---
>>>>> Certificate chain
>>>>> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>> ---
>>>>> Server certificate
>>>>> -----BEGIN CERTIFICATE-----
>>>>> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
>>>>> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
>>>>> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
>>>>> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
>>>>> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
>>>>> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
>>>>> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
>>>>> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
>>>>> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
>>>>> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
>>>>> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
>>>>> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
>>>>> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
>>>>> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
>>>>> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
>>>>> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
>>>>> -----END CERTIFICATE-----
>>>>> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> ---
>>>>> SSL handshake has read 1326 bytes and written 284 bytes
>>>>> ---
>>>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>>>> Server public key is 1024 bit
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>> Protocol : TLSv1
>>>>> Cipher : DHE-RSA-AES256-SHA
>>>>> Session-ID:
>>>>> 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
>>>>> Session-ID-ctx:
>>>>> Master-Key:
>>>>>
>>>>>
>>>>> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
>>>>> Key-Arg : None
>>>>> Krb5 Principal: None
>>>>> Start Time: 1275174644
>>>>> Timeout : 300 (sec)
>>>>> Verify return code: 18 (self signed certificate)
>>>>> ---
>>>>>
>>>>> So it is not reusing the SSL session as it should be.
>>>>>
>>>>> What am I missing?
>>>>>
>>>>> Thanks for any help.
>>>>>
>>>>> --Cyril
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>
>>>>
>>>> ________________________________
>>>> The New Busy is not the too busy. Combine all your e-mail accounts with
>>>> Hotmail. Get busy.
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>