users@glassfish.java.net

Re: SSL session caching

From: Oleksiy Stashok <Oleksiy.Stashok_at_Sun.COM>
Date: Tue, 01 Jun 2010 11:21:40 +0200

Hi Cyril,

which setting in Glassfish v3 you mean?

Alexey.

On Jun 1, 2010, at 2:13 , Cyril DANGERVILLE wrote:

> Hello,
> Tell me if you need more information.
> Btw, I noticed there was specific settings for ssl caching in
> Glassfish v3 but I can't find these for v2.1. Unfortunately, I have to
> use v2.1.
> Any idea?
>
> Thanks.
> --Cyril
>
> On Sun, May 30, 2010 at 5:18 PM, Cyril DANGERVILLE
> <cyril.dangerville_at_gmail.com> wrote:
>> Hello,
>> the https listener config in my domain.xml:
>>
>> <http-listener acceptor-threads="4" address="172.17.5.213"
>> blocking-enabled="false" default-virtual-server="server"
>> enabled="true" family="inet" id="http-listener-2" port="8181"
>> security-enabled="true" server-name="" xpowered-by="true">
>> <ssl cert-nickname="s1as" client-auth-enabled="false"
>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>> tls-rollback-enabled="true"/>
>> </http-listener>
>>
>> and the java-config:
>>
>> <java-config classpath-suffix="" debug-enabled="false"
>> debug-options="-Xdebug
>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate
>> -keepgenerated -g" system-classpath="">
>> <!-- various required jvm-options -->
>> <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/
>> lib/endorsed</jvm-options>
>> <jvm-options>-Djava.security.policy=$
>> {com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
>> <jvm-options>-Djava.security.auth.login.config=$
>> {com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>> <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-
>> options>
>> <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-
>> options>
>> <jvm-options>-Djavax.net.ssl.keyStore=$
>> {com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
>> <jvm-options>-Djavax.net.ssl.trustStore=$
>> {com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext$
>> {path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}
>> ${com.sun.aas.instanceRoot}/lib/ext${path.separator}$
>> {com.sun.aas.derbyRoot}/lib</jvm-options>
>> <jvm-options>-
>> Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</jvm-options>
>> <jvm-options>-
>> Djavax
>> .management
>> .builder
>> .initial
>> =
>> com
>> .sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</
>> jvm-options>
>> <jvm-options>-
>> Dcom
>> .sun
>> .enterprise
>> .config
>> .config_environment_factory_class
>> =
>> com
>> .sun
>> .enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</
>> jvm-options>
>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-
>> jstl.jar,jsf-impl.jar</jvm-options>
>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</
>> jvm-options>
>> <jvm-options>-XX:NewRatio=2</jvm-options>
>> <!--
>> Use the following jvm-options element to disable the quick
>> startup:
>> com.sun.enterprise.server.ss.ASQuickStartup=false
>> -->
>> <jvm-options>-
>> Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options>
>> <jvm-options>-XX:+UseParallelGC</jvm-options>
>> <jvm-options>-XX:+UseParallelOldGC</jvm-options>
>> <jvm-options>-XX:LargePageSizeInBytes=2m</jvm-options>
>> <jvm-options>-XX:ParallelGCThreads=$
>> {JVM_PARALLEL_GC_THREADS}</jvm-options>
>> <jvm-options>-Xmn1200m</jvm-options>
>> <jvm-options>-Xms2500m</jvm-options>
>> <jvm-options>-Xmx2500m</jvm-options>
>> <jvm-options>-server</jvm-options>
>> </java-config>
>>
>> Hope it helps.
>>
>> Thanks.
>> Cyril
>>
>> On Sun, May 30, 2010 at 2:10 AM, Martin Gainty
>> <mgainty_at_hotmail.com> wrote:
>>> What does your SSL connection look like in domain.xml?..here is
>>> mine for
>>> reference
>>>
>>> <http-listener acceptor-threads="1" address="0.0.0.0"
>>> blocking-enabled="false" default-virtual-server="server"
>>> enabled="true"
>>> family="inet" id="http-listener-2" port="9181" security-
>>> enabled="true"
>>> server-name="" xpowered-by="true">
>>> <ssl cert-nickname="s1as" client-auth-enabled="false"
>>> ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true"
>>> tls-rollback-enabled="true"/>
>>> </http-listener>
>>>
>>> you will also need to configure javax.net.ssl.keyStore and
>>> javax.net.ssl.trustStore parameters as seen here
>>> <java-config classpath-suffix="" debug-enabled="false"
>>> debug-options="-Xdebug
>>> -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=9009"
>>> env-classpath-ignored="true" java-home="${com.sun.aas.javaRoot}"
>>> javac-options="-g" rmic-options="-iiop -poa -alwaysgenerate -
>>> keepgenerated
>>> -g" system-classpath="">
>>> <!-- various required jvm-options -->
>>> <jvm-options>-XX:MaxPermSize=192m</jvm-options>
>>> <jvm-options>-client</jvm-options>
>>>
>>> <jvm-options>-Djava.endorsed.dirs=${com.sun.aas.installRoot}/lib/
>>> endorsed</jvm-options>
>>>
>>> <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/
>>> config/server.policy</jvm-options>
>>>
>>> <jvm-options>-Djava.security.auth.login.config=$
>>> {com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
>>> <jvm-options>-Dsun.rmi.dgc.server.gcInterval=3600000</jvm-
>>> options>
>>> <jvm-options>-Dsun.rmi.dgc.client.gcInterval=3600000</jvm-
>>> options>
>>> <jvm-options>-Xmx512m</jvm-options>
>>>
>>> <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/
>>> config/keystore.jks</jvm-options>
>>>
>>> <jvm-options>-Djavax.net.ssl.trustStore=$
>>> {com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
>>>
>>> <jvm-options>-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext$
>>> {path.separator}${com.sun.aas.javaRoot}/jre/lib/ext$
>>> {path.separator}${com.sun.aas.instanceRoot}/lib/ext$
>>> {path.separator}${com.sun.aas.derbyRoot}/lib</jvm-options>
>>>
>>> <jvm-options>-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver</
>>> jvm-options>
>>>
>>> <jvm-options>-
>>> Djavax
>>> .management
>>> .builder
>>> .initial
>>> =
>>> com
>>> .sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder</
>>> jvm-options>
>>>
>>> <jvm-options>-
>>> Dcom
>>> .sun
>>> .enterprise
>>> .config
>>> .config_environment_factory_class
>>> =
>>> com
>>> .sun
>>> .enterprise.config.serverbeans.AppserverConfigEnvironmentFactory</
>>> jvm-options>
>>>
>>> <jvm-options>-Dcom.sun.enterprise.taglibs=appserv-jstl.jar,jsf-
>>> impl.jar</jvm-options>
>>>
>>> <jvm-options>-Dcom.sun.enterprise.taglisteners=jsf-impl.jar</jvm-
>>> options>
>>> <jvm-options>-XX:NewRatio=2</jvm-options>
>>> <!--
>>> Use the following jvm-options element to disable the quick
>>> startup:
>>> com.sun.enterprise.server.ss.ASQuickStartup=false
>>> -->
>>>
>>> Martin Gainty
>>> ______________________________________________
>>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de
>>> confidentialité
>>>
>>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede
>>> unbefugte
>>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese
>>> Nachricht
>>> dient lediglich dem Austausch von Informationen und entfaltet keine
>>> rechtliche Bindungswirkung. Aufgrund der leichten
>>> Manipulierbarkeit von
>>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>>
>>> Ce message est confidentiel et peut être privilégié. Si vous
>>> n'êtes pas le
>>> destinataire prévu, nous te demandons avec bonté que pour satisfaire
>>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou
>>> la copie
>>> de ceci est interdite. Ce message sert à l'information seulement
>>> et n'aura
>>> pas n'importe quel effet légalement obligatoire. Étant donné que
>>> les email
>>> peuvent facilement être sujets à la manipulation, nous ne pouvons
>>> accepter
>>> aucune responsabilité pour le contenu fourni.
>>>
>>>
>>>
>>>
>>>> Date: Sun, 30 May 2010 01:23:42 +0200
>>>> From: cyril.dangerville_at_gmail.com
>>>> To: users_at_glassfish.dev.java.net
>>>> Subject: SSL session caching
>>>>
>>>> Hello,
>>>> I can't figure out how to make the Glassfish v2.1 server cache SSL
>>>> sessions. SSL client authentication is disabled on the server. I am
>>>> testing with the openssl s_client like this:
>>>>
>>>> $ openssl s_client -connect 172.17.5.213:8181 -reconnect > ssl.log
>>>>
>>>> ssl.log (excerpt):
>>>>
>>>> CONNECTED(00000003)
>>>> ---
>>>> Certificate chain
>>>> 0 s:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>> i:/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>> ---
>>>> Server certificate
>>>> -----BEGIN CERTIFICATE-----
>>>> MIIC5jCCAk+gAwIBAgIES+iM6DANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
>>>> VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRkw
>>>> FwYDVQQKExBTdW4gTWljcm9zeXN0ZW1zMSgwJgYDVQQLEx9TdW4gR2xhc3NGaXNo
>>>> IEVudGVycHJpc2UgU2VydmVyMSYwJAYDVQQDEx1zaGVybG9jazIubGF5ZXI3LnRo
>>>> ZXJlc2lzLm9yZzAeFw0xMDA1MTAyMjQ3MDRaFw0yMDA1MDcyMjQ3MDRaMIGlMQsw
>>>> CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEg
>>>> Q2xhcmExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxKDAmBgNVBAsTH1N1biBH
>>>> bGFzc0Zpc2ggRW50ZXJwcmlzZSBTZXJ2ZXIxJjAkBgNVBAMTHXNoZXJsb2NrMi5s
>>>> YXllcjcudGhlcmVzaXMub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCI
>>>> SaVC0IuOgoSFEb+5VMObCfr+s3N9TBHm4tcDgybxoqAutuu8lUQLBP7uIHrAnr5q
>>>> loON5NnYqTBIUFqFvoRmiBO6rGJLcmdrYFAyGfpuJ/uy6g5cviF0/azhNS+qlOOn
>>>> UjgxZ9W6HC8GecgQAk+oZiWIRdKb1TbQrsuBWjETSQIDAQABoyEwHzAdBgNVHQ4E
>>>> FgQU1EWazuIGgynlmMR2rkHHDVgjeqkwDQYJKoZIhvcNAQEFBQADgYEAKjMATvjC
>>>> FdVu4BC6ZPRTo3wztZ3zp0t9sd2JdwCxAiEnS+cqUYaMRz+0RlvIz5junKV9q/iS
>>>> q9vS2/VMd/Mlt8Uj7jNUa4r9mHahgomEBLAGIKozO4VambCMop0CZIdAerrBY3j8
>>>> 3qgjtFv7c/bWiRY3V29LX7tKn4AKXnpuAm8=
>>>> -----END CERTIFICATE-----
>>>> subject=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>> issuer=/C=US/ST=California/L=Santa Clara/O=Sun Microsystems/OU=Sun
>>>> GlassFish Enterprise Server/CN=sherlock2.layer7.theresis.org
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 1326 bytes and written 284 bytes
>>>> ---
>>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>>> Server public key is 1024 bit
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>> Protocol : TLSv1
>>>> Cipher : DHE-RSA-AES256-SHA
>>>> Session-ID:
>>>> 4C019F2A8D1CE2323C13BFD5CC335D61C56A9A5E4C22CAEB414559B12383909B
>>>> Session-ID-ctx:
>>>> Master-Key:
>>>>
>>>> 3B6FF13C5090F1AEE01D0BBD793BF3699701D33A1FD5FDF649D3BD2DE68A65A8BDC583C506D06FDE0D522F6AF06971B0
>>>> Key-Arg : None
>>>> Krb5 Principal: None
>>>> Start Time: 1275174644
>>>> Timeout : 300 (sec)
>>>> Verify return code: 18 (self signed certificate)
>>>> ---
>>>>
>>>> So it is not reusing the SSL session as it should be.
>>>>
>>>> What am I missing?
>>>>
>>>> Thanks for any help.
>>>>
>>>> --Cyril
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>
>>> ________________________________
>>> The New Busy is not the too busy. Combine all your e-mail accounts
>>> with
>>> Hotmail. Get busy.
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>