Re: [Simpleweb-Support] SSL problem
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] SSL problem
|
From: Niall G. <gal...@ya...> - 2005-10-20 09:27:28
|
Hi Martin,
If you are sure that the client is closing the
connection, which causes the broken pipe at the server
side then its an SSL/TLS problem. The SSL handshake is
getting mangled or something is corrupt within the SSL
stream.
HTTP cannot be the problem. HTTPS means HTTP tunneled
through SSL/TLS. The secure socket layer knows nothing
about HTTP so it really does not matter what
configuration you are using in your HTTP messages.
If you do think it is something with Simple, which I
think is quite unlikely, then I suggest you use
something like the following to debug the response.
Here 443 is the traditional HTTPS port, if you are
listening on some other port then change accordingly.
openssl s_client -connect my.hostname:443 -state
-debug
Niall
--- Martin Norrsken <mar...@gm...> wrote:
> On 10/19/05, Niall Gallagher
> <gal...@ya...> wrote:
> > Hi Martin,
> >
> > I have used SSL quite frequently in Java 4, and
> never
> > encountered this problem. Although I can say that
> the
> > broken pipe you see on the server side indicates
> that
> > it is the client that is closing the socket.
>
> The client is probably closing the connection
> because it gets an SSL
> "unexpected_message" from the server. Also I only
> get this error
> intermittently, but NOT when i'm using
> javax.net.debug=all (probably
> as this slows down the process considerably).
>
> >
> > If the client is closing the connection then there
> is
> > misconfiguration of the SSL socket. SSL is
> intependant
> > from HTTP, so I can't really say whats happening.
>
> This is what I'm at too. Here's parts of my socket
> and simpleweb
> initialization code:
> --------------------
> public static void init() {
> try {
> Configuration conf = Configuration.getInstance();
>
>
System.setProperty("javax.net.ssl.trustStore",conf.getKeystore());
>
>
System.setProperty("javax.net.ssl.trustStorePassword",conf.getKeystorePassword());
>
> engine = new LoaderEngine();
>
>
engine.load("logout","norrsken.jcas.web.LogoutService");
>
>
engine.load("login","norrsken.jcas.web.LoginService");
>
>
engine.load("success","norrsken.jcas.web.SuccessService");
>
>
engine.load("validate","norrsken.jcas.web.ValidateService");
>
>
engine.load("admin","norrsken.jcas.web.AdminService");
>
> engine.link("/admin","admin");
> engine.link("/login","login");
> engine.link("/loginForm","login");
> engine.link("/logout","logout");
> engine.link("/success","success");
> engine.link("/validate","validate");
>
> WebPageService.register(engine);
>
> try {
> System.setErr(new PrintStream(new
> DoubleOutputStream(System.err,new
> FileOutputStream(conf.getTraceFile()))));
> } catch(Exception e) {
> e.printStackTrace();
> System.exit(1);
> }
>
> ProtocolHandler handler =
> ProtocolHandlerFactory.getInstance(engine);
> Connection connection =
> ConnectionFactory.getConnection(handler);
>
> s =
>
createSocket(conf.getKeystore(),conf.getKeystorePassword(),conf.getPort());
>
> connection.connect(s);
>
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
>
> public static SSLServerSocket createSocket(String
> ksName, String
> ksPass, int port) throws Exception {
> char tksPass[] = ksPass.toCharArray();
> char tctPass[] = ksPass.toCharArray();
>
> KeyStore ks = KeyStore.getInstance("JKS");
> ks.load(new FileInputStream(ksName), tksPass);
>
> KeyManagerFactory kmf =
> KeyManagerFactory.getInstance("SunX509");
> kmf.init(ks, tctPass);
>
> SSLContext sc = SSLContext.getInstance("TLS");
> sc.init(kmf.getKeyManagers(), null, null);
> SSLServerSocketFactory ssf =
> sc.getServerSocketFactory();
>
> SSLServerSocket ssls = (SSLServerSocket)
> ssf.createServerSocket(port);
> //ssls.setEnabledProtocols(new
> String[]{"SSLv3","TLSv1"});
> return ssls;
> }
>
>
> ------------------
> Also, i use this code to wrap my handlers:
> ------------------
>
> public abstract class ExtendedService extends
> BasicService {
> public ExtendedService(Context ctx) {
> super(ctx);
> }
>
> public void handle(final Request req, final
> Response resp) {
> try {
> if(!resp.isCommitted()) resp.reset(); // Tried
> adding this
> resp.setDate("Date",System.currentTimeMillis());
> resp.set("Server","MyServer/1.x");
> //resp.set("Connection","close"); // Tried this
> too if it was a HTTP/1.1 prob
> process(req, resp);
> //resp.getOutputStream().flush(); // Tried all
> combinations of
> flush close and commit
> resp.getOutputStream().close();
> resp.commit();
> }
> catch(InternetAddressFilter.AccessDeniedException
> ade) {
> Log.log("EXCEPTION: "+ade.toString());
> ade.printStackTrace();
> ade.printStackTrace(Log.out);
> handle(req,resp,404);
> } catch (Exception e) {
> Log.log("EXCEPTION: "+e.toString());
> e.printStackTrace();
> e.printStackTrace(Log.out);
> handle(req, resp, 500);
> }
> }
> }
>
> >
> > However, I can imagine that if you are using a
> self
> > signed certificate and are prompted to accept from
> > your browser this can take about 5 to 10 seconds,
> and
> > in the meantime there could be a premature close
> of
> > the socket before the SSL handshake protocol has
> > finished.
>
> No this is not the case as ive added the cert to my
> root certs. And it
> mostly happens when loading the images in the
> document i'm first
> loading; i.e. when the requests come close to each
> other or perhaps in
> the same HTTP/1.1 connection (but i've tried
> Connection: close too).
>
> >
> > If there is a premature closure (which is probably
> not
> > the case as you see "broken pipe" messages) I
> would
> > recommend that you increase the timeout that
> Simple is
> > using. To do this make sure the
> > simple.http.poller=simple.http.GranularPoller. You
> can
> > set this with a -D parameter like so:
> >
> > java
> -Dsimple.http.poller=simple.http.GranularPoller
> >
> > I hope this solves your problem, or at least
> helps?
>
> Nope.
>
> >
> > Niall
> >
> > --- Martin Norrsken <mar...@gm...>
> wrote:
> >
> > > While using simpleweb with SSL on a Java5
> platform i
> > > consistently get
>
=== message truncated ===
Niall Gallagher
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
|
