simpleweb-support — General user and support issues

[Simpleweb-Support] Help needed.

[Arshad A. <ars...@gm...>]

Hello,
I'm new to Simple and I am trying to create the asynchronous proxy
example. Can anyone please point me to the documentation or tutorials
that I can follow. Or do I have to peep into source code to understand
how it really works? I need to create that example as a proof of
concept for my project. Any help will be extremely appreciated.
Thanks and regards,
Arshad.

Re: [Simpleweb-Support] HTTP Reverse proxy

[Niall G. <gal...@ya...>]

Hi,
 
Not sure what the status of Squid is at the moment, but I've used this with success in the past. For minimal overhead, I have found iptables the fastest by far, not sure if it can provide sticky connections on I.P for multiple servers in the back end though. 
 
If your willing to put some work in you can actually use simple as a reverse proxy, this will allow you to intercept the SSL request, and apply logic for sticky connections based on session or I.P or whatever else suits. This can require some effort though!
 
Niall

--- On Sat, 11/9/10, Andrew Barlow <and...@sd...> wrote:


From: Andrew Barlow <and...@sd...>
Subject: Re: [Simpleweb-Support] HTTP Reverse proxy
To: "Simple support and user issues" <sim...@li...>
Received: Saturday, 11 September, 2010, 12:24 PM


I've just tested a configuration with Zeus Load Balancer instead of Cherokee and it works like a charm.


I think that vindicates Bruno' posting which essentially says that it depends on the front-end SSL reverse proxy you choose to use.


I can't comment on the effective overhead of SSL, though clearly it diminishes as hardware and software become more powerful.


The reason I needed a proxy was to use a single SSL certificate over multiple servers, and a reverse load-balancing SSL proxy made sense.


Not one to join in the flame wars, I'll refrain from observing that I think Kai misses the point of Bruno's reply.


But then again, keeps life interesting!


AndyB


On 11 Sep 2010, at 13:04, Bruno Harbulot wrote:




Hi Kai,

On 11/09/2010 03:26, Kai Schutte wrote:

For true load balancing with Simple, and with *ANY* other web server at

a very high load, you need to use a hardware TCP/IP load balancer, a DNS

load balance, or even both. You need to look at how Sessions are

handled, including HTTPS sessions.



Bruno Harbulot, I'm not sure what your problem actually is, but I think

if you'd stop blaming technologies you don't understand and actually

apply them properly, you might get somewhere :)

(Note sure your tone comes across so well, but maybe that's because 
e-mail is never so good for that.)

I do admit I'm not a Simple expert, but I've learnt enough about it to 
find a bug regarding a buffer size when handling an SSL message [1]. 
This is about asynchronous SSL handling in Java, which I don't find 
"simple", but maybe I'm a bit slow indeed (if you find developers who'd 
use the word "simple" for this, let me know).



I think you're the one who doesn't understand what we've been talking 
about (or at least what I've been talking about). To recap, I've tried 
two scenarios:

(A)
Client <--SSL--> (mod_ssl) Apache (mod_jk) <---> (Jetty lib) Restlet

(B)
Client <------------------SSL------------------> (Jetty lib) Restlet


In (A), SSL is handled by mod_ssl/OpenSSL, and two TCP connections are 
established. In (B), the SSL connection is handled directly within the 
Java environment.

I was only talking about my personal experience with this, saying that 
(A) led to connections being mangled or non-existent between Apache 
Httpd and the Java under a 50+ requests/sec load, whereas (B) was 
handling that perfectly well. I was asking for similar experiences about 
this approach, as it's hard to generalise.

The reason I mentioned this was that Andrew's configuration (A') was 
similar to (A).

(A')
Client <--SSL--> Cherokee <--No SSL--> Simple

In both (A) and (A'), you need to manage two TCP connections, as there 
is an intermediate party (the "load-balancer": Apache Httpd/Cherokee) 
which will not only need to redirect the connection, but process it at 
the HTTP layer (that's HTTP-level load-balancing). That intermediate 
party, doing the SSL processing here, will definitely be running in a 
different process, and possibly on a different machine.

I'm just wondering whether delegating SSL to a different 
process/server/box is really worth it, considering that it had worsened 
the situation in the configurations I mentioned (admittedly limited to 
the application I was developing). I found handling SSL within the Java 
environment directly to work better. I don't have the answer to that 
question, but perhaps others have experiences to share.

You're then talking of TCP/IP load-balancing, which is exactly what my 
suggestion about iptables-based load-balancing was about (I bet even 
some hardware load-balancers might be using variants of it inside).


I may not have been clear, but I was hinting that Andrew could try 
letting SSL be processed within Java rather that using Cherokee for this 
(but perhaps he has other reasons for using it), since this approach 
solved a similar problem I had.

I'm not sure what your point about my blaming technologies was here, Kai.


Best wishes,

Bruno.



[1] 
http://sourceforge.net/mailarchive/forum.php?thread_name=838C9014F7E13841B1F711C5DC2B42F3327B566C%40LONMC01032.rbsres07.net&forum_name=simpleweb-support




On Fri, Sep 10, 2010 at 4:20 PM, Bruno Harbulot

<Bru...@ma...

<mailto:Bru...@ma...>> wrote:



   Hi,



   I'm going to go slightly off-topic here, but I'm curious about this

   notion of "SSL heavy lifting".



   I've been developing a service that's based on Restlet and that uses SSL

   client-certificate authentication. (This then then led me to make

   contributions to Restlet regarding SSL. Restlet can use a number of

   underlying connectors, for example based on Jetty or Simple. I must

   admit I've been using Jetty, not because I don't like Simple, but

   because it's the one I picked at the time and my users haven't

   complained about it, so why fix a bug that doesn't exist. As part of my

   work on SSL with Restlet, I've looked at Simple in that context too.)



   In early versions, I was using an Apache Httpd front-end with mod_jk,

   talking to the Jetty connector via AJP. (I wasn't using mod_proxy,

   because it can't send the full chain of client certificates, only the

   leaf one, and I needed the full chain).

   The usage pattern of this service is to have a client send connections

   by bursts (say 50+ connections within a 1-2 seconds, and then nothing

   for a while). That kind of load isn't actually that big, I think.

   However, many of the connections were dropped (SSL handshake errors

   appeared on the client side). I think it's fair to say that Apache Httpd

   is a robust product, and that it should be able to handle that sort of

   load (maybe I could have improved the configuration). There was

   definitely an issue with the connection between mod_jk and the Jetty

   connector, because some of the connections didn't even appear in the

   Java logs in any way (not even an exception).

   (I seem to remember having similar problems with

   mod_proxy_http/mod_proxy_ajp, which I may have tested briefly, but I'm

   not sure.)



   To address this, I removed the Apache Httpd layer and sent the

   connections straight to the Java connector (using iptables port

   redirects), letting Java deal with the SSL stack. Since then, I haven't

   had any report of a single connection dropped (it all worked fine,

   tested with about 500 requests within a couple of seconds at some

   point).



   I know I'm not talking about Simple here, and I'm quite off-topic, but

   I'm just wondering, in general, whether there are any benchmarks and

   studies that make the use of a front-end Apache Httpd or Cherokee really

   worth it. How much of a myth/fact is this "SSL heavy lifting" nowadays?

   I appreciate that it varies substantially depending on the general

   architecture of the system, but it sounds like a front-end entails

   having two services processing every request/response to some extent

   (which can only add overhead).



   Having a load-balancer in the equation probably changes the problem a

   bit. I must admit I didn't have the need (or the resources) to have

   this. Maybe iptables-based load-balancing could work.



   Some of the architectural decisions for SSL setup seem to be based

   around its reputation for being computationally expensive, which may

   have been true historically, but I'm not sure what the current facts

   are, and whether this justifies having another server in the middle.

   Here is an interesting article by people from Google:

   http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html



   Any similar or different experiences regarding direct or indirect

   connection (it could also be relevant without SSL I suppose)?





   Best wishes,



   Bruno.





   On 10/09/10 13:20, Andrew Barlow wrote:


Has anyone tried to set up a bunch of Simple HTTP servers behind

   an HTTP


proxy, using Cherokee or similar (see


http://www.cherokee-project.com/doc/cookbook_https_accelerator.html)?





I've configured a front-end Cherokee server to do the "heavy

   lifting" of


delivering content over SSL, with connectors to several Simple HTTP


servers which provide the content over HTTP to the front end Cherokee


server.





To ensure state is maintained throughout the session I've configured


Cherokee to use an IP Hash rather than Round Robin balancer.





All seems to work fine (pages display, state is maintained, etc.)

   until


I try to download a document.





When I (for example) download a PDF, the download either fails with a


connection error or the file downloads but is corrupt (appears to

   be a


mix of PDF and HTML, as if Cherokee has got confused somehow)





In Simple, I set the MIME type and disposition accordingly and if

   I go


direct to a Simple server the PDF downloads properly.





Going via the HTTPS Cherokee front-end mangles the document -

   could the


Response header from Simple be confusing Cherokee?





Perhaps someone out there has already done something similar and

   succeeded?





Looking at some of the configuration options in Cherokee (e..g Allow


Keepalive, Preserver Host Header, Preservce Server Header)

   perhaps there


is a particular combination of settings required, e.g. does

   Simple HTTP


Server support Keep-alive connections?





I'm a little new to this, so if I've missed something obvious

   please let


me know!





Many thanks.



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support






Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 


e: and...@sd...
t: +44 (0)7830 302 268

The information in this e-mail is confidential and is intended solely for the addressee(s) and access to this email by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. 


Information expressed in this e-mail is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.


Standard e-mail communication cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed,arrive late or incomplete, or contain viruses. SDX Messaging does not accept liability for any such matters arising, or their consequences.








-----Inline Attachment Follows-----


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

-----Inline Attachment Follows-----


_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

Re: [Simpleweb-Support] HTTP Reverse proxy

[Andrew B. <and...@sd...>]

I've just tested a configuration with Zeus Load Balancer instead of Cherokee and it works like a charm.

I think that vindicates Bruno' posting which essentially says that it depends on the front-end SSL reverse proxy you choose to use.

I can't comment on the effective overhead of SSL, though clearly it diminishes as hardware and software become more powerful.

The reason I needed a proxy was to use a single SSL certificate over multiple servers, and a reverse load-balancing SSL proxy made sense.

Not one to join in the flame wars, I'll refrain from observing that I think Kai misses the point of Bruno's reply.

But then again, keeps life interesting!

AndyB

On 11 Sep 2010, at 13:04, Bruno Harbulot wrote:

> Hi Kai,
> 
> On 11/09/2010 03:26, Kai Schutte wrote:
>> For true load balancing with Simple, and with *ANY* other web server at
>> a very high load, you need to use a hardware TCP/IP load balancer, a DNS
>> load balance, or even both. You need to look at how Sessions are
>> handled, including HTTPS sessions.
>> 
>> Bruno Harbulot, I'm not sure what your problem actually is, but I think
>> if you'd stop blaming technologies you don't understand and actually
>> apply them properly, you might get somewhere :)
> 
> (Note sure your tone comes across so well, but maybe that's because 
> e-mail is never so good for that.)
> 
> I do admit I'm not a Simple expert, but I've learnt enough about it to 
> find a bug regarding a buffer size when handling an SSL message [1]. 
> This is about asynchronous SSL handling in Java, which I don't find 
> "simple", but maybe I'm a bit slow indeed (if you find developers who'd 
> use the word "simple" for this, let me know).
> 
> 
> 
> I think you're the one who doesn't understand what we've been talking 
> about (or at least what I've been talking about). To recap, I've tried 
> two scenarios:
> 
> (A)
> Client <--SSL--> (mod_ssl) Apache (mod_jk) <---> (Jetty lib) Restlet
> 
> (B)
> Client <------------------SSL------------------> (Jetty lib) Restlet
> 
> 
> In (A), SSL is handled by mod_ssl/OpenSSL, and two TCP connections are 
> established. In (B), the SSL connection is handled directly within the 
> Java environment.
> 
> I was only talking about my personal experience with this, saying that 
> (A) led to connections being mangled or non-existent between Apache 
> Httpd and the Java under a 50+ requests/sec load, whereas (B) was 
> handling that perfectly well. I was asking for similar experiences about 
> this approach, as it's hard to generalise.
> 
> The reason I mentioned this was that Andrew's configuration (A') was 
> similar to (A).
> 
> (A')
> Client <--SSL--> Cherokee <--No SSL--> Simple
> 
> In both (A) and (A'), you need to manage two TCP connections, as there 
> is an intermediate party (the "load-balancer": Apache Httpd/Cherokee) 
> which will not only need to redirect the connection, but process it at 
> the HTTP layer (that's HTTP-level load-balancing). That intermediate 
> party, doing the SSL processing here, will definitely be running in a 
> different process, and possibly on a different machine.
> 
> I'm just wondering whether delegating SSL to a different 
> process/server/box is really worth it, considering that it had worsened 
> the situation in the configurations I mentioned (admittedly limited to 
> the application I was developing). I found handling SSL within the Java 
> environment directly to work better. I don't have the answer to that 
> question, but perhaps others have experiences to share.
> 
> You're then talking of TCP/IP load-balancing, which is exactly what my 
> suggestion about iptables-based load-balancing was about (I bet even 
> some hardware load-balancers might be using variants of it inside).
> 
> 
> I may not have been clear, but I was hinting that Andrew could try 
> letting SSL be processed within Java rather that using Cherokee for this 
> (but perhaps he has other reasons for using it), since this approach 
> solved a similar problem I had.
> 
> I'm not sure what your point about my blaming technologies was here, Kai.
> 
> 
> Best wishes,
> 
> Bruno.
> 
> 
> 
> [1] 
> http://sourceforge.net/mailarchive/forum.php?thread_name=838C9014F7E13841B1F711C5DC2B42F3327B566C%40LONMC01032.rbsres07.net&forum_name=simpleweb-support
> 
>> 
>> On Fri, Sep 10, 2010 at 4:20 PM, Bruno Harbulot
>> <Bru...@ma...
>> <mailto:Bru...@ma...>> wrote:
>> 
>>    Hi,
>> 
>>    I'm going to go slightly off-topic here, but I'm curious about this
>>    notion of "SSL heavy lifting".
>> 
>>    I've been developing a service that's based on Restlet and that uses SSL
>>    client-certificate authentication. (This then then led me to make
>>    contributions to Restlet regarding SSL. Restlet can use a number of
>>    underlying connectors, for example based on Jetty or Simple. I must
>>    admit I've been using Jetty, not because I don't like Simple, but
>>    because it's the one I picked at the time and my users haven't
>>    complained about it, so why fix a bug that doesn't exist. As part of my
>>    work on SSL with Restlet, I've looked at Simple in that context too.)
>> 
>>    In early versions, I was using an Apache Httpd front-end with mod_jk,
>>    talking to the Jetty connector via AJP. (I wasn't using mod_proxy,
>>    because it can't send the full chain of client certificates, only the
>>    leaf one, and I needed the full chain).
>>    The usage pattern of this service is to have a client send connections
>>    by bursts (say 50+ connections within a 1-2 seconds, and then nothing
>>    for a while). That kind of load isn't actually that big, I think.
>>    However, many of the connections were dropped (SSL handshake errors
>>    appeared on the client side). I think it's fair to say that Apache Httpd
>>    is a robust product, and that it should be able to handle that sort of
>>    load (maybe I could have improved the configuration). There was
>>    definitely an issue with the connection between mod_jk and the Jetty
>>    connector, because some of the connections didn't even appear in the
>>    Java logs in any way (not even an exception).
>>    (I seem to remember having similar problems with
>>    mod_proxy_http/mod_proxy_ajp, which I may have tested briefly, but I'm
>>    not sure.)
>> 
>>    To address this, I removed the Apache Httpd layer and sent the
>>    connections straight to the Java connector (using iptables port
>>    redirects), letting Java deal with the SSL stack. Since then, I haven't
>>    had any report of a single connection dropped (it all worked fine,
>>    tested with about 500 requests within a couple of seconds at some
>>    point).
>> 
>>    I know I'm not talking about Simple here, and I'm quite off-topic, but
>>    I'm just wondering, in general, whether there are any benchmarks and
>>    studies that make the use of a front-end Apache Httpd or Cherokee really
>>    worth it. How much of a myth/fact is this "SSL heavy lifting" nowadays?
>>    I appreciate that it varies substantially depending on the general
>>    architecture of the system, but it sounds like a front-end entails
>>    having two services processing every request/response to some extent
>>    (which can only add overhead).
>> 
>>    Having a load-balancer in the equation probably changes the problem a
>>    bit. I must admit I didn't have the need (or the resources) to have
>>    this. Maybe iptables-based load-balancing could work.
>> 
>>    Some of the architectural decisions for SSL setup seem to be based
>>    around its reputation for being computationally expensive, which may
>>    have been true historically, but I'm not sure what the current facts
>>    are, and whether this justifies having another server in the middle.
>>    Here is an interesting article by people from Google:
>>    http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
>> 
>>    Any similar or different experiences regarding direct or indirect
>>    connection (it could also be relevant without SSL I suppose)?
>> 
>> 
>>    Best wishes,
>> 
>>    Bruno.
>> 
>> 
>>    On 10/09/10 13:20, Andrew Barlow wrote:
>>> Has anyone tried to set up a bunch of Simple HTTP servers behind
>>    an HTTP
>>> proxy, using Cherokee or similar (see
>>> http://www.cherokee-project.com/doc/cookbook_https_accelerator.html)?
>>> 
>>> I've configured a front-end Cherokee server to do the "heavy
>>    lifting" of
>>> delivering content over SSL, with connectors to several Simple HTTP
>>> servers which provide the content over HTTP to the front end Cherokee
>>> server.
>>> 
>>> To ensure state is maintained throughout the session I've configured
>>> Cherokee to use an IP Hash rather than Round Robin balancer.
>>> 
>>> All seems to work fine (pages display, state is maintained, etc.)
>>    until
>>> I try to download a document.
>>> 
>>> When I (for example) download a PDF, the download either fails with a
>>> connection error or the file downloads but is corrupt (appears to
>>    be a
>>> mix of PDF and HTML, as if Cherokee has got confused somehow)
>>> 
>>> In Simple, I set the MIME type and disposition accordingly and if
>>    I go
>>> direct to a Simple server the PDF downloads properly.
>>> 
>>> Going via the HTTPS Cherokee front-end mangles the document -
>>    could the
>>> Response header from Simple be confusing Cherokee?
>>> 
>>> Perhaps someone out there has already done something similar and
>>    succeeded?
>>> 
>>> Looking at some of the configuration options in Cherokee (e..g Allow
>>> Keepalive, Preserver Host Header, Preservce Server Header)
>>    perhaps there
>>> is a particular combination of settings required, e.g. does
>>    Simple HTTP
>>> Server support Keep-alive connections?
>>> 
>>> I'm a little new to this, so if I've missed something obvious
>>    please let
>>> me know!
>>> 
>>> Many thanks.
>> 
> 
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 

e: and...@sd...
t: +44 (0)7830 302 268

The information in this e-mail is confidential and is intended solely for the addressee(s) and access to this email by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. 

Information expressed in this e-mail is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Standard e-mail communication cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed,
arrive late or incomplete, or contain viruses. SDX Messaging does not accept liability for any such matters arising, or their consequences.

Re: [Simpleweb-Support] HTTP Reverse proxy

[Bruno H. <Bru...@ma...>]

Hi Kai,

On 11/09/2010 03:26, Kai Schutte wrote:
> For true load balancing with Simple, and with *ANY* other web server at
> a very high load, you need to use a hardware TCP/IP load balancer, a DNS
> load balance, or even both. You need to look at how Sessions are
> handled, including HTTPS sessions.
>
> Bruno Harbulot, I'm not sure what your problem actually is, but I think
> if you'd stop blaming technologies you don't understand and actually
> apply them properly, you might get somewhere :)

(Note sure your tone comes across so well, but maybe that's because 
e-mail is never so good for that.)

I do admit I'm not a Simple expert, but I've learnt enough about it to 
find a bug regarding a buffer size when handling an SSL message [1]. 
This is about asynchronous SSL handling in Java, which I don't find 
"simple", but maybe I'm a bit slow indeed (if you find developers who'd 
use the word "simple" for this, let me know).



I think you're the one who doesn't understand what we've been talking 
about (or at least what I've been talking about). To recap, I've tried 
two scenarios:

(A)
Client <--SSL--> (mod_ssl) Apache (mod_jk) <---> (Jetty lib) Restlet

(B)
Client <------------------SSL------------------> (Jetty lib) Restlet


In (A), SSL is handled by mod_ssl/OpenSSL, and two TCP connections are 
established. In (B), the SSL connection is handled directly within the 
Java environment.

I was only talking about my personal experience with this, saying that 
(A) led to connections being mangled or non-existent between Apache 
Httpd and the Java under a 50+ requests/sec load, whereas (B) was 
handling that perfectly well. I was asking for similar experiences about 
this approach, as it's hard to generalise.

The reason I mentioned this was that Andrew's configuration (A') was 
similar to (A).

(A')
Client <--SSL--> Cherokee <--No SSL--> Simple

In both (A) and (A'), you need to manage two TCP connections, as there 
is an intermediate party (the "load-balancer": Apache Httpd/Cherokee) 
which will not only need to redirect the connection, but process it at 
the HTTP layer (that's HTTP-level load-balancing). That intermediate 
party, doing the SSL processing here, will definitely be running in a 
different process, and possibly on a different machine.

I'm just wondering whether delegating SSL to a different 
process/server/box is really worth it, considering that it had worsened 
the situation in the configurations I mentioned (admittedly limited to 
the application I was developing). I found handling SSL within the Java 
environment directly to work better. I don't have the answer to that 
question, but perhaps others have experiences to share.

You're then talking of TCP/IP load-balancing, which is exactly what my 
suggestion about iptables-based load-balancing was about (I bet even 
some hardware load-balancers might be using variants of it inside).


I may not have been clear, but I was hinting that Andrew could try 
letting SSL be processed within Java rather that using Cherokee for this 
(but perhaps he has other reasons for using it), since this approach 
solved a similar problem I had.

I'm not sure what your point about my blaming technologies was here, Kai.


Best wishes,

Bruno.



[1] 
http://sourceforge.net/mailarchive/forum.php?thread_name=838C9014F7E13841B1F711C5DC2B42F3327B566C%40LONMC01032.rbsres07.net&forum_name=simpleweb-support

>
> On Fri, Sep 10, 2010 at 4:20 PM, Bruno Harbulot
> <Bru...@ma...
> <mailto:Bru...@ma...>> wrote:
>
>     Hi,
>
>     I'm going to go slightly off-topic here, but I'm curious about this
>     notion of "SSL heavy lifting".
>
>     I've been developing a service that's based on Restlet and that uses SSL
>     client-certificate authentication. (This then then led me to make
>     contributions to Restlet regarding SSL. Restlet can use a number of
>     underlying connectors, for example based on Jetty or Simple. I must
>     admit I've been using Jetty, not because I don't like Simple, but
>     because it's the one I picked at the time and my users haven't
>     complained about it, so why fix a bug that doesn't exist. As part of my
>     work on SSL with Restlet, I've looked at Simple in that context too.)
>
>     In early versions, I was using an Apache Httpd front-end with mod_jk,
>     talking to the Jetty connector via AJP. (I wasn't using mod_proxy,
>     because it can't send the full chain of client certificates, only the
>     leaf one, and I needed the full chain).
>     The usage pattern of this service is to have a client send connections
>     by bursts (say 50+ connections within a 1-2 seconds, and then nothing
>     for a while). That kind of load isn't actually that big, I think.
>     However, many of the connections were dropped (SSL handshake errors
>     appeared on the client side). I think it's fair to say that Apache Httpd
>     is a robust product, and that it should be able to handle that sort of
>     load (maybe I could have improved the configuration). There was
>     definitely an issue with the connection between mod_jk and the Jetty
>     connector, because some of the connections didn't even appear in the
>     Java logs in any way (not even an exception).
>     (I seem to remember having similar problems with
>     mod_proxy_http/mod_proxy_ajp, which I may have tested briefly, but I'm
>     not sure.)
>
>     To address this, I removed the Apache Httpd layer and sent the
>     connections straight to the Java connector (using iptables port
>     redirects), letting Java deal with the SSL stack. Since then, I haven't
>     had any report of a single connection dropped (it all worked fine,
>     tested with about 500 requests within a couple of seconds at some
>     point).
>
>     I know I'm not talking about Simple here, and I'm quite off-topic, but
>     I'm just wondering, in general, whether there are any benchmarks and
>     studies that make the use of a front-end Apache Httpd or Cherokee really
>     worth it. How much of a myth/fact is this "SSL heavy lifting" nowadays?
>     I appreciate that it varies substantially depending on the general
>     architecture of the system, but it sounds like a front-end entails
>     having two services processing every request/response to some extent
>     (which can only add overhead).
>
>     Having a load-balancer in the equation probably changes the problem a
>     bit. I must admit I didn't have the need (or the resources) to have
>     this. Maybe iptables-based load-balancing could work.
>
>     Some of the architectural decisions for SSL setup seem to be based
>     around its reputation for being computationally expensive, which may
>     have been true historically, but I'm not sure what the current facts
>     are, and whether this justifies having another server in the middle.
>     Here is an interesting article by people from Google:
>     http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
>
>     Any similar or different experiences regarding direct or indirect
>     connection (it could also be relevant without SSL I suppose)?
>
>
>     Best wishes,
>
>     Bruno.
>
>
>     On 10/09/10 13:20, Andrew Barlow wrote:
>      > Has anyone tried to set up a bunch of Simple HTTP servers behind
>     an HTTP
>      > proxy, using Cherokee or similar (see
>      > http://www.cherokee-project.com/doc/cookbook_https_accelerator.html)?
>      >
>      > I've configured a front-end Cherokee server to do the "heavy
>     lifting" of
>      > delivering content over SSL, with connectors to several Simple HTTP
>      > servers which provide the content over HTTP to the front end Cherokee
>      > server.
>      >
>      > To ensure state is maintained throughout the session I've configured
>      > Cherokee to use an IP Hash rather than Round Robin balancer.
>      >
>      > All seems to work fine (pages display, state is maintained, etc.)
>     until
>      > I try to download a document.
>      >
>      > When I (for example) download a PDF, the download either fails with a
>      > connection error or the file downloads but is corrupt (appears to
>     be a
>      > mix of PDF and HTML, as if Cherokee has got confused somehow)
>      >
>      > In Simple, I set the MIME type and disposition accordingly and if
>     I go
>      > direct to a Simple server the PDF downloads properly.
>      >
>      > Going via the HTTPS Cherokee front-end mangles the document -
>     could the
>      > Response header from Simple be confusing Cherokee?
>      >
>      > Perhaps someone out there has already done something similar and
>     succeeded?
>      >
>      > Looking at some of the configuration options in Cherokee (e..g Allow
>      > Keepalive, Preserver Host Header, Preservce Server Header)
>     perhaps there
>      > is a particular combination of settings required, e.g. does
>     Simple HTTP
>      > Server support Keep-alive connections?
>      >
>      > I'm a little new to this, so if I've missed something obvious
>     please let
>      > me know!
>      >
>      > Many thanks.
>

Re: [Simpleweb-Support] HTTP Reverse proxy

[Kai S. <sch...@gm...>]

Hey,

Simple, at it's core, is a load balancer an SSL handler, it's simply a very
fast and light weight HTTP protocol handler build for a single single server
load burst... It's very good at it's job, and can handle other jobs,
including load balancing well, but that's not what it's designed for.

For true load balancing with Simple, and with *ANY* other web server at a
very high load, you need to use a hardware TCP/IP load balancer, a DNS load
balance, or even both. You need to look at how Sessions are handled,
including HTTPS sessions.

Andrew Barlow, your problems problably originate in the fact that your load
balancer switches before a full upload has been done.
Bruno Harbulot, I'm not sure what your problem actually is, but I think if
you'd stop blaming technologies you don't understand and actually apply them
properly, you might get somewhere :)

I appreciate the input, but... Simple isn't Apache... it's uhm... simple.

What Simple doesn't provide or do well, you need to expand to do yourself :)

-k

On Fri, Sep 10, 2010 at 4:20 PM, Bruno Harbulot <
Bru...@ma...> wrote:

> Hi,
>
> I'm going to go slightly off-topic here, but I'm curious about this
> notion of "SSL heavy lifting".
>
> I've been developing a service that's based on Restlet and that uses SSL
> client-certificate authentication. (This then then led me to make
> contributions to Restlet regarding SSL. Restlet can use a number of
> underlying connectors, for example based on Jetty or Simple. I must
> admit I've been using Jetty, not because I don't like Simple, but
> because it's the one I picked at the time and my users haven't
> complained about it, so why fix a bug that doesn't exist. As part of my
> work on SSL with Restlet, I've looked at Simple in that context too.)
>
> In early versions, I was using an Apache Httpd front-end with mod_jk,
> talking to the Jetty connector via AJP. (I wasn't using mod_proxy,
> because it can't send the full chain of client certificates, only the
> leaf one, and I needed the full chain).
> The usage pattern of this service is to have a client send connections
> by bursts (say 50+ connections within a 1-2 seconds, and then nothing
> for a while). That kind of load isn't actually that big, I think.
> However, many of the connections were dropped (SSL handshake errors
> appeared on the client side). I think it's fair to say that Apache Httpd
> is a robust product, and that it should be able to handle that sort of
> load (maybe I could have improved the configuration). There was
> definitely an issue with the connection between mod_jk and the Jetty
> connector, because some of the connections didn't even appear in the
> Java logs in any way (not even an exception).
> (I seem to remember having similar problems with
> mod_proxy_http/mod_proxy_ajp, which I may have tested briefly, but I'm
> not sure.)
>
> To address this, I removed the Apache Httpd layer and sent the
> connections straight to the Java connector (using iptables port
> redirects), letting Java deal with the SSL stack. Since then, I haven't
> had any report of a single connection dropped (it all worked fine,
> tested with about 500 requests within a couple of seconds at some point).
>
> I know I'm not talking about Simple here, and I'm quite off-topic, but
> I'm just wondering, in general, whether there are any benchmarks and
> studies that make the use of a front-end Apache Httpd or Cherokee really
> worth it. How much of a myth/fact is this "SSL heavy lifting" nowadays?
> I appreciate that it varies substantially depending on the general
> architecture of the system, but it sounds like a front-end entails
> having two services processing every request/response to some extent
> (which can only add overhead).
>
> Having a load-balancer in the equation probably changes the problem a
> bit. I must admit I didn't have the need (or the resources) to have
> this. Maybe iptables-based load-balancing could work.
>
> Some of the architectural decisions for SSL setup seem to be based
> around its reputation for being computationally expensive, which may
> have been true historically, but I'm not sure what the current facts
> are, and whether this justifies having another server in the middle.
> Here is an interesting article by people from Google:
> http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
>
> Any similar or different experiences regarding direct or indirect
> connection (it could also be relevant without SSL I suppose)?
>
>
> Best wishes,
>
> Bruno.
>
>
> On 10/09/10 13:20, Andrew Barlow wrote:
> > Has anyone tried to set up a bunch of Simple HTTP servers behind an HTTP
> > proxy, using Cherokee or similar (see
> > http://www.cherokee-project.com/doc/cookbook_https_accelerator.html)?
> >
> > I've configured a front-end Cherokee server to do the "heavy lifting" of
> > delivering content over SSL, with connectors to several Simple HTTP
> > servers which provide the content over HTTP to the front end Cherokee
> > server.
> >
> > To ensure state is maintained throughout the session I've configured
> > Cherokee to use an IP Hash rather than Round Robin balancer.
> >
> > All seems to work fine (pages display, state is maintained, etc.) until
> > I try to download a document.
> >
> > When I (for example) download a PDF, the download either fails with a
> > connection error or the file downloads but is corrupt (appears to be a
> > mix of PDF and HTML, as if Cherokee has got confused somehow)
> >
> > In Simple, I set the MIME type and disposition accordingly and if I go
> > direct to a Simple server the PDF downloads properly.
> >
> > Going via the HTTPS Cherokee front-end mangles the document - could the
> > Response header from Simple be confusing Cherokee?
> >
> > Perhaps someone out there has already done something similar and
> succeeded?
> >
> > Looking at some of the configuration options in Cherokee (e..g Allow
> > Keepalive, Preserver Host Header, Preservce Server Header) perhaps there
> > is a particular combination of settings required, e.g. does Simple HTTP
> > Server support Keep-alive connections?
> >
> > I'm a little new to this, so if I've missed something obvious please let
> > me know!
> >
> > Many thanks.
>
>
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>

Re: [Simpleweb-Support] HTTP Reverse proxy

[Bruno H. <Bru...@ma...>]

Hi,

I'm going to go slightly off-topic here, but I'm curious about this 
notion of "SSL heavy lifting".

I've been developing a service that's based on Restlet and that uses SSL 
client-certificate authentication. (This then then led me to make 
contributions to Restlet regarding SSL. Restlet can use a number of 
underlying connectors, for example based on Jetty or Simple. I must 
admit I've been using Jetty, not because I don't like Simple, but 
because it's the one I picked at the time and my users haven't 
complained about it, so why fix a bug that doesn't exist. As part of my 
work on SSL with Restlet, I've looked at Simple in that context too.)

In early versions, I was using an Apache Httpd front-end with mod_jk, 
talking to the Jetty connector via AJP. (I wasn't using mod_proxy, 
because it can't send the full chain of client certificates, only the 
leaf one, and I needed the full chain).
The usage pattern of this service is to have a client send connections 
by bursts (say 50+ connections within a 1-2 seconds, and then nothing 
for a while). That kind of load isn't actually that big, I think. 
However, many of the connections were dropped (SSL handshake errors 
appeared on the client side). I think it's fair to say that Apache Httpd 
is a robust product, and that it should be able to handle that sort of 
load (maybe I could have improved the configuration). There was 
definitely an issue with the connection between mod_jk and the Jetty 
connector, because some of the connections didn't even appear in the 
Java logs in any way (not even an exception).
(I seem to remember having similar problems with 
mod_proxy_http/mod_proxy_ajp, which I may have tested briefly, but I'm 
not sure.)

To address this, I removed the Apache Httpd layer and sent the 
connections straight to the Java connector (using iptables port 
redirects), letting Java deal with the SSL stack. Since then, I haven't 
had any report of a single connection dropped (it all worked fine, 
tested with about 500 requests within a couple of seconds at some point).

I know I'm not talking about Simple here, and I'm quite off-topic, but 
I'm just wondering, in general, whether there are any benchmarks and 
studies that make the use of a front-end Apache Httpd or Cherokee really 
worth it. How much of a myth/fact is this "SSL heavy lifting" nowadays? 
I appreciate that it varies substantially depending on the general 
architecture of the system, but it sounds like a front-end entails 
having two services processing every request/response to some extent 
(which can only add overhead).

Having a load-balancer in the equation probably changes the problem a 
bit. I must admit I didn't have the need (or the resources) to have 
this. Maybe iptables-based load-balancing could work.

Some of the architectural decisions for SSL setup seem to be based 
around its reputation for being computationally expensive, which may 
have been true historically, but I'm not sure what the current facts 
are, and whether this justifies having another server in the middle. 
Here is an interesting article by people from Google: 
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

Any similar or different experiences regarding direct or indirect 
connection (it could also be relevant without SSL I suppose)?


Best wishes,

Bruno.


On 10/09/10 13:20, Andrew Barlow wrote:
> Has anyone tried to set up a bunch of Simple HTTP servers behind an HTTP
> proxy, using Cherokee or similar (see
> http://www.cherokee-project.com/doc/cookbook_https_accelerator.html)?
>
> I've configured a front-end Cherokee server to do the "heavy lifting" of
> delivering content over SSL, with connectors to several Simple HTTP
> servers which provide the content over HTTP to the front end Cherokee
> server.
>
> To ensure state is maintained throughout the session I've configured
> Cherokee to use an IP Hash rather than Round Robin balancer.
>
> All seems to work fine (pages display, state is maintained, etc.) until
> I try to download a document.
>
> When I (for example) download a PDF, the download either fails with a
> connection error or the file downloads but is corrupt (appears to be a
> mix of PDF and HTML, as if Cherokee has got confused somehow)
>
> In Simple, I set the MIME type and disposition accordingly and if I go
> direct to a Simple server the PDF downloads properly.
>
> Going via the HTTPS Cherokee front-end mangles the document - could the
> Response header from Simple be confusing Cherokee?
>
> Perhaps someone out there has already done something similar and succeeded?
>
> Looking at some of the configuration options in Cherokee (e..g Allow
> Keepalive, Preserver Host Header, Preservce Server Header) perhaps there
> is a particular combination of settings required, e.g. does Simple HTTP
> Server support Keep-alive connections?
>
> I'm a little new to this, so if I've missed something obvious please let
> me know!
>
> Many thanks.

[Simpleweb-Support] HTTP Reverse proxy

[Andrew B. <and...@sd...>]

Has anyone tried to set up a bunch of Simple HTTP servers behind an HTTP proxy, using Cherokee or similar (see http://www.cherokee-project.com/doc/cookbook_https_accelerator.html)?

I've configured a front-end Cherokee server to do the "heavy lifting" of delivering content over SSL, with connectors to several Simple HTTP servers which provide the content over HTTP to the front end Cherokee server.

To ensure state is maintained throughout the session I've configured Cherokee to use an IP Hash rather than Round Robin balancer.

All seems to work fine (pages display, state is maintained, etc.) until I try to download a document.

When I (for example) download a PDF, the download either fails with a connection error or the file downloads but is corrupt (appears to be a mix of PDF and HTML, as if Cherokee has got confused somehow)

In Simple, I set the MIME type and disposition accordingly and if I go direct to a Simple server the PDF downloads properly.

Going via the HTTPS Cherokee front-end mangles the document - could the Response header from Simple be confusing Cherokee?

Perhaps someone out there has already done something similar and succeeded?

Looking at some of the configuration options in Cherokee (e..g Allow Keepalive, Preserver Host Header, Preservce Server Header) perhaps there is a particular combination of settings required, e.g. does Simple HTTP Server support Keep-alive connections?

I'm a little new to this, so if I've missed something obvious please let me know!

Many thanks.

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 

e: and...@sd...
t: +44 (0)7830 302 268

The information in this e-mail is confidential and is intended solely for the addressee(s) and access to this email by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. 

Information expressed in this e-mail is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Standard e-mail communication cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed,
arrive late or incomplete, or contain viruses. SDX Messaging does not accept liability for any such matters arising, or their consequences.

Re: [Simpleweb-Support] FileIndexer.properties

[Niall G. <gal...@ya...>]

Thanks for the info, ill make sure its copied to the build jar next time. 
 
Niall

--- On Mon, 6/9/10, Michael Benzinger <mic...@gm...> wrote:


From: Michael Benzinger <mic...@gm...>
Subject: [Simpleweb-Support] FileIndexer.properties
To: sim...@li...
Received: Monday, 6 September, 2010, 6:26 AM


Hi all,

I was trying to make use of the built-in ability to decode the content type of a requested file resource. Unfortunately I kept getting "application/octetstream" for all file types irrespective of their extensions. I traced the problem to a missing resource bundle. As it turns out, the file "FileIndexer.properties" is not in the supplied jar file. I added it from the sources and the code works correctly. If possible, can you adjust your build scripts to copy this to the class directory so that it is included when building the jar in future releases?

Regards,

Mike Benzinger

-----Inline Attachment Follows-----


------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
-----Inline Attachment Follows-----


_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

[Simpleweb-Support] FileIndexer.properties

[Michael B. <mic...@gm...>]

Hi all,

I was trying to make use of the built-in ability to decode the content type
of a requested file resource. Unfortunately I kept getting
"application/octetstream" for all file types irrespective of their
extensions. I traced the problem to a missing resource bundle. As it turns
out, the file "FileIndexer.properties" is not in the supplied jar file. I
added it from the sources and the code works correctly. If possible, can you
adjust your build scripts to copy this to the class directory so that it is
included when building the jar in future releases?

Regards,

Mike Benzinger

Re: [Simpleweb-Support] Getting started with SSL

[Brad M. <br...@br...>]

yeah, from googling it looks like thats a common problem for people 
setting up ssl. Once you know the error its straight forward

Very nice code, by the way :)

Cheers,
Brad

Niall Gallagher wrote:
> Hi,
> I really must add better support for logging. This is my next goal. 
> Glad you found the issue.
> Niall
>
> --- On *Mon, 8/2/10, Brad McEvoy /<br...@br...>/* wrote:
>
>
>     From: Brad McEvoy <br...@br...>
>     Subject: Re: [Simpleweb-Support] Getting started with SSL
>     To: "Simple support and user issues"
>     <sim...@li...>
>     Date: Monday, August 2, 2010, 4:32 AM
>
>     Got it. Added some logging and found this exception which was
>     being caught but not logged in Task.run()
>
>     Now to figure out why there's no cipher suites...
>
>     javax.net.ssl.SSLHandshakeException: no cipher suites in common
>             at
>     com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938)
>             at
>     com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465)
>             at
>     com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701)
>             at
>     com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)
>             at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
>             at
>     org.simpleframework.transport.Handshake.read(Handshake.java:272)
>             at
>     org.simpleframework.transport.Handshake.read(Handshake.java:256)
>             at
>     org.simpleframework.transport.Handshake.exchange(Handshake.java:240)
>             at
>     org.simpleframework.transport.Handshake.process(Handshake.java:203)
>             at
>     org.simpleframework.transport.Handshake.resume(Handshake.java:182)
>             at org.simpleframework.transport.Task.execute(Task.java:130)
>             at org.simpleframework.transport.Task.run(Task.java:90)
>             at
>     org.simpleframework.transport.Handshake.resume(Handshake.java:186)
>             at
>     org.simpleframework.transport.Handshake.begin(Handshake.java:166)
>             at
>     org.simpleframework.transport.Handshake.run(Handshake.java:137)
>             at
>     java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
>             at
>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
>             at java.lang.Thread.run(Thread.java:619)
>     Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites
>     in common
>             at
>     com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>             at
>     com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366)
>             at
>     com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189)
>             at
>     com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
>             at
>     com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
>             at
>     com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425)
>             at
>     com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139)
>             at
>     com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>             at
>     com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)
>             at java.security.AccessController.doPrivileged(Native Method)
>             at
>     com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)
>             at
>     org.simpleframework.transport.Handshake.execute(Handshake.java:346)
>             at
>     org.simpleframework.transport.Handshake.read(Handshake.java:284)
>             ... 12 more
>
>
>
>     Brad McEvoy wrote:
>>     I've checked and have the same issue with .21
>>
>>     I've done the same check with xlightweb and it also works on my
>>     windows box and fails silently on the linux server, so it is
>>     definitely something I'm doing wrong.
>>
>>     Just a couple of specific things:
>>      - should the ssl protocol be SSL or TLS?
>>      - if i've built the certificate incorrectly, should I expect to
>>     see a program error on startup (or at any time)?
>>      - should the keystore type be JKS?
>>      - should the keystore algorithm be SunX509?
>>      - do any of these vary between windows and linux?
>>      - should I expect the same certificate file to work on windows
>>     and linux?
>>
>>     Thanks in advance.
>>
>>     Brad
>>
>>     Niall Gallagher wrote:
>>>     Hi,
>>>
>>>     Are you using 4.1.21 to test HTTPS? There have been a number of
>>>     bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21.
>>>
>>>     Niall
>>>
>>>     --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>
>>>     <http://us.mc331.mail.yahoo.com/mc/compose?to=br...@br...>/*
>>>     wrote:
>>>
>>>
>>>         From: Brad McEvoy <br...@br...>
>>>         <http://us.mc331.mail.yahoo.com/mc/compose?to=br...@br...>
>>>         Subject: [Simpleweb-Support] Getting started with SSL
>>>         To: "Simple support and user issues"
>>>         <sim...@li...>
>>>         <http://us.mc331.mail.yahoo.com/mc/compose?to=sim...@li...>
>>>         Date: Sunday, August 1, 2010, 7:26 PM
>>>
>>>         Hi All,
>>>
>>>         I'm having a problem with using SSL in SimpleHTTP. I'm sure
>>>         i'm doing something dumb but am at a loss as to where to start.
>>>
>>>         All works fine on my Windows development machine, but when I
>>>         deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection
>>>         interrupted" error in firefox. I've confirmed connectivity
>>>         on port 443 to the server.
>>>
>>>         When using the SimpleSSLHelloWorld (adapted for my own
>>>         certificate and password) there is no output from logging
>>>         and the handle method doesnt get called.
>>>
>>>         When i modify the code to directly setup the ContainerServer
>>>         in my code I can see that the process method does indeed get
>>>         called on the ContainerServer for a https request, which
>>>         then calls process on the wrapped processor, but then there
>>>         is no more console output, there are no exceptions thrown,
>>>         nothing is returned to the browser and the handle method
>>>         doesnt get called.
>>>
>>>         I'm a bit unsure about the ssl config. If there was a
>>>         configuration error, should I expect to see an error on
>>>         startup? Is there some particular class in simple web that I
>>>         can add logging to to see whats going wrong?
>>>
>>>         I've attached my slightly modified form of the
>>>         SimpleSSLHelloWorld and also my own implementation
>>>         SslSimpletonServer, both of which show the same results.
>>>
>>>         Any help would be greatly appreciated. I'm happy to the
>>>         digging myself but need to know where to stick my shovel!
>>>
>>>         Cheers,
>>>         Brad
>>>
>>>         BTW: this is all part of a project to integrate simpleweb
>>>         with milton (see http://milton.ettrema.com
>>>         <http://milton.ettrema.com/>) for a very light weight webdav
>>>         server
>>>
>>>
>>>         Andrew Barlow wrote:
>>>>         Thanks Niall - works like a charm on Safari 5 now...
>>>>
>>>>         AndyB
>>>>         On 26 Jul 2010, at 20:48, Niall Gallagher wrote:
>>>>
>>>>>         Hi,
>>>>>
>>>>>         I have released 4.1.21 which fixes this issue by not
>>>>>         requesting client authentication. If client authentication
>>>>>         is needed it can be done just before the handshake begins
>>>>>         by setting it on the SSLEngine associated with the
>>>>>         org.simpleframework.transport.Socket.
>>>>>
>>>>>         Regards,
>>>>>         Niall
>>>>>
>>>>>         --- On *Thu, 7/8/10, Andrew Barlow
>>>>>         /<and...@sd...>/* wrote:
>>>>>
>>>>>
>>>>>             From: Andrew Barlow <and...@sd...>
>>>>>             Subject: [Simpleweb-Support] SSL client certificate
>>>>>             request: Safari 5 problem?
>>>>>             To: sim...@li...
>>>>>             Date: Thursday, July 8, 2010, 1:14 AM
>>>>>
>>>>>             Niall and Fabio kindly sent me links to example code
>>>>>             for delivering web content over SSL, see
>>>>>             http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
>>>>>             <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
>>>>>
>>>>>
>>>>>             As  I need to use an existing signed certificate
>>>>>             inside a Java keystore I've adopted/adapted Fabio's
>>>>>             example which reads from the keystore file.
>>>>>
>>>>>             I have set the SSLContext to "TLS".
>>>>>
>>>>>             I've tested against a keystore containing a bona-fide
>>>>>             signed certificate issued by Thawte and all is well
>>>>>             across a range of browsers: Internet Explorer on
>>>>>             Windows and Firefox, Opera, Chrome on Windows and Mac.
>>>>>
>>>>>             However on Safari 5 (but NOT 4) on the Mac I encounter
>>>>>             a message asking for a client certificate, see screenshot:
>>>>>             <clientcertificate.png>
>>>>>
>>>>>
>>>>>             Upon selecting a certificate (doesn't matter which),
>>>>>             Safari then gives a message:
>>>>>
>>>>>             "Safari can’t open the page “xxxx” because Safari
>>>>>             can’t establish a secure connection to the server “xxxx”.
>>>>>
>>>>>             On Windows behaviour is slightly different, Safari 5
>>>>>             simply displays the message without prompting for
>>>>>             client certificate.
>>>>>
>>>>>             As this works fine with other browsers, including
>>>>>             earlier version of Safari could this be an Safari 5
>>>>>             issue that needs to be addressed by Apple?
>>>>>
>>>>>             Andy Barlow - Chief Technology Officer - MBCS CENG
>>>>>             EURING CITP
>>>>>
>>>>>             e: and...@sd...
>>>>>             t: +44 (0)7830 302 268
>>>>>
>>>>>             /The information in this email or facsimile is
>>>>>             confidential and is intended solely for the
>>>>>             addressee(s) and access to this email or facsimile by
>>>>>             anyone else is unauthorised. If you are not the
>>>>>             intended recipient then any disclosure, copying,
>>>>>             distribution or any action taken or omitted to be
>>>>>             taken in reliance on it, is prohibited and may be
>>>>>             unlawful. Information expressed in this email or
>>>>>             facsimile is not given or endorsed by my firm or
>>>>>             employer unless otherwise indicated by an
>>>>>             authorised representative independent of this message./
>>>>>
>>>>>
>>>>>             -----Inline Attachment Follows-----
>>>>>
>>>>>             ------------------------------------------------------------------------------
>>>>>             This SF.net <http://sf.net/> email is sponsored by Sprint
>>>>>             What will you do first with EVO, the first 4G phone?
>>>>>             Visit sprint.com/first <http://sprint.com/first> --
>>>>>             http://p.sf.net/sfu/sprint-com-first
>>>>>
>>>>>             -----Inline Attachment Follows-----
>>>>>
>>>>>             _______________________________________________
>>>>>             Simpleweb-Support mailing list
>>>>>             Sim...@li...
>>>>>             https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>>>
>>>>>
>>>>>         ------------------------------------------------------------------------------
>>>>>         The Palm PDK Hot Apps Program offers developers who use the
>>>>>         Plug-In Development Kit to bring their C/C++ apps to Palm
>>>>>         for a share
>>>>>         of $1 Million in cash or HP Products. Visit us here for
>>>>>         more details:
>>>>>         http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>>>         http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
>>>>>         Simpleweb-Support mailing list
>>>>>         Sim...@li...
>>>>>         https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>>
>>>>         Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>>
>>>>         e: and...@sd...
>>>>         t: +44 (0)7830 302 268
>>>>
>>>>         /The information in this email or facsimile is confidential
>>>>         and is intended solely for the addressee(s) and access to
>>>>         this email or facsimile by anyone else is unauthorised. If
>>>>         you are not the intended recipient then any disclosure,
>>>>         copying, distribution or any action taken or omitted to be
>>>>         taken in reliance on it, is prohibited and may be unlawful.
>>>>         Information expressed in this email or facsimile is not
>>>>         given or endorsed by my firm or employer unless otherwise
>>>>         indicated by an authorised representative independent of
>>>>         this message./
>>>>
>>>>
>>>>         ------------------------------------------------------------------------------
>>>>         The Palm PDK Hot Apps Program offers developers who use the
>>>>         Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>>>         of $1 Million in cash or HP Products. Visit us here for more details:
>>>>         http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>>         http://clk.atdmt.com/CRS/go/247765532/direct/01/
>>>>
>>>>
>>>>         _______________________________________________
>>>>         Simpleweb-Support mailing list
>>>>         Sim...@li...
>>>>         https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>>            
>>>
>>>
>>>         -----Inline Attachment Follows-----
>>>
>>>         ------------------------------------------------------------------------------
>>>         The Palm PDK Hot Apps Program offers developers who use the
>>>         Plug-In Development Kit to bring their C/C++ apps to Palm
>>>         for a share
>>>         of $1 Million in cash or HP Products. Visit us here for more
>>>         details:
>>>         http://p.sf.net/sfu/dev2dev-palm
>>>
>>>         -----Inline Attachment Follows-----
>>>
>>>         _______________________________________________
>>>         Simpleweb-Support mailing list
>>>         Sim...@li...
>>>         https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>>
>>>
>>>     ------------------------------------------------------------------------------
>>>     The Palm PDK Hot Apps Program offers developers who use the
>>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>>     of $1 Million in cash or HP Products. Visit us here for more details:
>>>     http://p.sf.net/sfu/dev2dev-palm
>>>
>>>
>>>     _______________________________________________
>>>     Simpleweb-Support mailing list
>>>     Sim...@li...  <http://us.mc331.mail.yahoo.com/mc/compose?to=Sim...@li...>
>>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>        
>>
>>
>>     ------------------------------------------------------------------------------
>>     The Palm PDK Hot Apps Program offers developers who use the
>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>     of $1 Million in cash or HP Products. Visit us here for more details:
>>     http://p.sf.net/sfu/dev2dev-palm
>>
>>
>>     _______________________________________________
>>     Simpleweb-Support mailing list
>>     Sim...@li...  <http://us.mc331.mail.yahoo.com/mc/compose?to=Sim...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>        
>
>
>     -----Inline Attachment Follows-----
>
>     ------------------------------------------------------------------------------
>     The Palm PDK Hot Apps Program offers developers who use the
>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>     of $1 Million in cash or HP Products. Visit us here for more details:
>     http://p.sf.net/sfu/dev2dev-palm
>
>     -----Inline Attachment Follows-----
>
>     _______________________________________________
>     Simpleweb-Support mailing list
>     Sim...@li...
>     <http://us.mc331.mail.yahoo.com/mc/compose?to=Sim...@li...>
>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>    

Re: [Simpleweb-Support] Getting started with SSL

[Niall G. <gal...@ya...>]

Hi,
 
I really must add better support for logging. This is my next goal. Glad you found the issue.
 
Niall

--- On Mon, 8/2/10, Brad McEvoy <br...@br...> wrote:


From: Brad McEvoy <br...@br...>
Subject: Re: [Simpleweb-Support] Getting started with SSL
To: "Simple support and user issues" <sim...@li...>
Date: Monday, August 2, 2010, 4:32 AM


Got it. Added some logging and found this exception which was being caught but not logged in Task.run() 

Now to figure out why there's no cipher suites...

javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
        at org.simpleframework.transport.Handshake.read(Handshake.java:272)
        at org.simpleframework.transport.Handshake.read(Handshake.java:256)
        at org.simpleframework.transport.Handshake.exchange(Handshake.java:240)
        at org.simpleframework.transport.Handshake.process(Handshake.java:203)
        at org.simpleframework.transport.Handshake.resume(Handshake.java:182)
        at org.simpleframework.transport.Task.execute(Task.java:130)
        at org.simpleframework.transport.Task.run(Task.java:90)
        at org.simpleframework.transport.Handshake.resume(Handshake.java:186)
        at org.simpleframework.transport.Handshake.begin(Handshake.java:166)
        at org.simpleframework.transport.Handshake.run(Handshake.java:137)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
        at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)
        at org.simpleframework.transport.Handshake.execute(Handshake.java:346)
        at org.simpleframework.transport.Handshake.read(Handshake.java:284)
        ... 12 more



Brad McEvoy wrote: 
I've checked and have the same issue with .21

I've done the same check with xlightweb and it also works on my windows box and fails silently on the linux server, so it is definitely something I'm doing wrong.

Just a couple of specific things:
 - should the ssl protocol be SSL or TLS?
 - if i've built the certificate incorrectly, should I expect to see a program error on startup (or at any time)?
 - should the keystore type be JKS?
 - should the keystore algorithm be SunX509?
 - do any of these vary between windows and linux?
 - should I expect the same certificate file to work on windows and linux?

Thanks in advance.

Brad

Niall Gallagher wrote: 




Hi,

Are you using 4.1.21 to test HTTPS? There have been a number of bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21.

Niall

--- On Sun, 8/1/10, Brad McEvoy <br...@br...> wrote:


From: Brad McEvoy <br...@br...>
Subject: [Simpleweb-Support] Getting started with SSL
To: "Simple support and user issues" <sim...@li...>
Date: Sunday, August 1, 2010, 7:26 PM


Hi All,

I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm doing something dumb but am at a loss as to where to start.

All works fine on my Windows development machine, but when I deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection interrupted" error in firefox. I've confirmed connectivity on port 443 to the server.

When using the SimpleSSLHelloWorld (adapted for my own certificate and password) there is no output from logging and the handle method doesnt get called.

When i modify the code to directly setup the ContainerServer in my code I can see that the process method does indeed get called on the ContainerServer for a https request, which then calls process on the wrapped processor, but then there is no more console output, there are no exceptions thrown, nothing is returned to the browser and the handle method doesnt get called.

I'm a bit unsure about the ssl config. If there was a configuration error, should I expect to see an error on startup? Is there some particular class in simple web that I can add logging to to see whats going wrong?

I've attached my slightly modified form of the SimpleSSLHelloWorld and also my own implementation SslSimpletonServer, both of which show the same results.

Any help would be greatly appreciated. I'm happy to the digging myself but need to know where to stick my shovel!

Cheers,
Brad

BTW: this is all part of a project to integrate simpleweb with milton (see http://milton.ettrema.com) for a very light weight webdav server


Andrew Barlow wrote: 
Thanks Niall - works like a charm on Safari 5 now... 


AndyB


On 26 Jul 2010, at 20:48, Niall Gallagher wrote:





Hi,

I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket.

Regards,
Niall

--- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote:


From: Andrew Barlow <and...@sd...>
Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?
To: sim...@li...
Date: Thursday, July 8, 2010, 1:14 AM


Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. 


As  I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file.


I have set the SSLContext to "TLS".


I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.


However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot:
<clientcertificate.png>




Upon selecting a certificate (doesn't matter which), Safari then gives a message:


"Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”.


On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate.


As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple?


Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 




e: and...@sd...
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

-----Inline Attachment Follows-----


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
-----Inline Attachment Follows-----


_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 


e: and...@sd...
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support
  

-----Inline Attachment Follows-----


------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
-----Inline Attachment Follows-----


_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support


------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support
  

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support
  

-----Inline Attachment Follows-----


------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
-----Inline Attachment Follows-----


_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

Re: [Simpleweb-Support] Getting started with SSL

[Brad M. <br...@br...>]

Got it. Added some logging and found this exception which was being 
caught but not logged in Task.run()

Now to figure out why there's no cipher suites...

javax.net.ssl.SSLHandshakeException: no cipher suites in common
         at 
com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938)
         at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465)
         at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701)
         at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)
         at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
         at org.simpleframework.transport.Handshake.read(Handshake.java:272)
         at org.simpleframework.transport.Handshake.read(Handshake.java:256)
         at 
org.simpleframework.transport.Handshake.exchange(Handshake.java:240)
         at 
org.simpleframework.transport.Handshake.process(Handshake.java:203)
         at 
org.simpleframework.transport.Handshake.resume(Handshake.java:182)
         at org.simpleframework.transport.Task.execute(Task.java:130)
         at org.simpleframework.transport.Task.run(Task.java:90)
         at 
org.simpleframework.transport.Handshake.resume(Handshake.java:186)
         at 
org.simpleframework.transport.Handshake.begin(Handshake.java:166)
         at org.simpleframework.transport.Handshake.run(Handshake.java:137)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
         at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
         at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
         at 
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366)
         at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189)
         at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
         at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
         at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425)
         at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139)
         at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
         at 
com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)
         at java.security.AccessController.doPrivileged(Native Method)
         at 
com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)
         at 
org.simpleframework.transport.Handshake.execute(Handshake.java:346)
         at org.simpleframework.transport.Handshake.read(Handshake.java:284)
         ... 12 more



Brad McEvoy wrote:
> I've checked and have the same issue with .21
>
> I've done the same check with xlightweb and it also works on my 
> windows box and fails silently on the linux server, so it is 
> definitely something I'm doing wrong.
>
> Just a couple of specific things:
>  - should the ssl protocol be SSL or TLS?
>  - if i've built the certificate incorrectly, should I expect to see a 
> program error on startup (or at any time)?
>  - should the keystore type be JKS?
>  - should the keystore algorithm be SunX509?
>  - do any of these vary between windows and linux?
>  - should I expect the same certificate file to work on windows and linux?
>
> Thanks in advance.
>
> Brad
>
> Niall Gallagher wrote:
>> Hi,
>>
>> Are you using 4.1.21 to test HTTPS? There have been a number of bugs 
>> fixed recently for HTTPS/SSL. I would advise you use 4.1.21.
>>
>> Niall
>>
>> --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>/* wrote:
>>
>>
>>     From: Brad McEvoy <br...@br...>
>>     Subject: [Simpleweb-Support] Getting started with SSL
>>     To: "Simple support and user issues"
>>     <sim...@li...>
>>     Date: Sunday, August 1, 2010, 7:26 PM
>>
>>     Hi All,
>>
>>     I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm
>>     doing something dumb but am at a loss as to where to start.
>>
>>     All works fine on my Windows development machine, but when I
>>     deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection
>>     interrupted" error in firefox. I've confirmed connectivity on
>>     port 443 to the server.
>>
>>     When using the SimpleSSLHelloWorld (adapted for my own
>>     certificate and password) there is no output from logging and the
>>     handle method doesnt get called.
>>
>>     When i modify the code to directly setup the ContainerServer in
>>     my code I can see that the process method does indeed get called
>>     on the ContainerServer for a https request, which then calls
>>     process on the wrapped processor, but then there is no more
>>     console output, there are no exceptions thrown, nothing is
>>     returned to the browser and the handle method doesnt get called.
>>
>>     I'm a bit unsure about the ssl config. If there was a
>>     configuration error, should I expect to see an error on startup?
>>     Is there some particular class in simple web that I can add
>>     logging to to see whats going wrong?
>>
>>     I've attached my slightly modified form of the
>>     SimpleSSLHelloWorld and also my own implementation
>>     SslSimpletonServer, both of which show the same results.
>>
>>     Any help would be greatly appreciated. I'm happy to the digging
>>     myself but need to know where to stick my shovel!
>>
>>     Cheers,
>>     Brad
>>
>>     BTW: this is all part of a project to integrate simpleweb with
>>     milton (see http://milton.ettrema.com) for a very light weight
>>     webdav server
>>
>>
>>     Andrew Barlow wrote:
>>>     Thanks Niall - works like a charm on Safari 5 now...
>>>
>>>     AndyB
>>>     On 26 Jul 2010, at 20:48, Niall Gallagher wrote:
>>>
>>>>     Hi,
>>>>
>>>>     I have released 4.1.21 which fixes this issue by not requesting
>>>>     client authentication. If client authentication is needed it
>>>>     can be done just before the handshake begins by setting it on
>>>>     the SSLEngine associated with the
>>>>     org.simpleframework.transport.Socket.
>>>>
>>>>     Regards,
>>>>     Niall
>>>>
>>>>     --- On *Thu, 7/8/10, Andrew Barlow
>>>>     /<and...@sd...
>>>>     </mc/compose?to=and...@sd...>>/* wrote:
>>>>
>>>>
>>>>         From: Andrew Barlow <and...@sd...
>>>>         </mc/compose?to=and...@sd...>>
>>>>         Subject: [Simpleweb-Support] SSL client certificate
>>>>         request: Safari 5 problem?
>>>>         To: sim...@li...
>>>>         </mc/compose?to=sim...@li...>
>>>>         Date: Thursday, July 8, 2010, 1:14 AM
>>>>
>>>>         Niall and Fabio kindly sent me links to example code for
>>>>         delivering web content over SSL, see
>>>>         http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
>>>>         <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
>>>>
>>>>
>>>>         As  I need to use an existing signed certificate inside a
>>>>         Java keystore I've adopted/adapted Fabio's example which
>>>>         reads from the keystore file.
>>>>
>>>>         I have set the SSLContext to "TLS".
>>>>
>>>>         I've tested against a keystore containing a bona-fide
>>>>         signed certificate issued by Thawte and all is well across
>>>>         a range of browsers: Internet Explorer on Windows and
>>>>         Firefox, Opera, Chrome on Windows and Mac.
>>>>
>>>>         However on Safari 5 (but NOT 4) on the Mac I encounter a
>>>>         message asking for a client certificate, see screenshot:
>>>>         <clientcertificate.png>
>>>>
>>>>
>>>>         Upon selecting a certificate (doesn't matter which), Safari
>>>>         then gives a message:
>>>>
>>>>         "Safari can’t open the page “xxxx” because Safari can’t
>>>>         establish a secure connection to the server “xxxx”.
>>>>
>>>>         On Windows behaviour is slightly different, Safari 5 simply
>>>>         displays the message without prompting for client certificate.
>>>>
>>>>         As this works fine with other browsers, including earlier
>>>>         version of Safari could this be an Safari 5 issue that
>>>>         needs to be addressed by Apple?
>>>>
>>>>         Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>>
>>>>         e: and...@sd...
>>>>         t: +44 (0)7830 302 268
>>>>
>>>>         /The information in this email or facsimile is confidential
>>>>         and is intended solely for the addressee(s) and access to
>>>>         this email or facsimile by anyone else is unauthorised. If
>>>>         you are not the intended recipient then any disclosure,
>>>>         copying, distribution or any action taken or omitted to be
>>>>         taken in reliance on it, is prohibited and may be unlawful.
>>>>         Information expressed in this email or facsimile is not
>>>>         given or endorsed by my firm or employer unless otherwise
>>>>         indicated by an authorised representative independent of
>>>>         this message./
>>>>
>>>>
>>>>         -----Inline Attachment Follows-----
>>>>
>>>>         ------------------------------------------------------------------------------
>>>>         This SF.net <http://SF.net> email is sponsored by Sprint
>>>>         What will you do first with EVO, the first 4G phone?
>>>>         Visit sprint.com/first <http://sprint.com/first> --
>>>>         http://p.sf.net/sfu/sprint-com-first
>>>>
>>>>         -----Inline Attachment Follows-----
>>>>
>>>>         _______________________________________________
>>>>         Simpleweb-Support mailing list
>>>>         Sim...@li...
>>>>         https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>>
>>>>
>>>>     ------------------------------------------------------------------------------
>>>>     The Palm PDK Hot Apps Program offers developers who use the
>>>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a
>>>>     share
>>>>     of $1 Million in cash or HP Products. Visit us here for more
>>>>     details:
>>>>     http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>>     http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
>>>>     Simpleweb-Support mailing list
>>>>     Sim...@li...
>>>>     </mc/compose?to=Sim...@li...>
>>>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>>     Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>
>>>     e: and...@sd...
>>>     </mc/compose?to=and...@sd...>
>>>     t: +44 (0)7830 302 268
>>>
>>>     /The information in this email or facsimile is confidential and
>>>     is intended solely for the addressee(s) and access to this email
>>>     or facsimile by anyone else is unauthorised. If you are not the
>>>     intended recipient then any disclosure, copying, distribution or
>>>     any action taken or omitted to be taken in reliance on it, is
>>>     prohibited and may be unlawful. Information expressed in this
>>>     email or facsimile is not given or endorsed by my firm or
>>>     employer unless otherwise indicated by an
>>>     authorised representative independent of this message./
>>>
>>>
>>>     ------------------------------------------------------------------------------
>>>     The Palm PDK Hot Apps Program offers developers who use the
>>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>>     of $1 Million in cash or HP Products. Visit us here for more details:
>>>     http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>     http://clk.atdmt.com/CRS/go/247765532/direct/01/
>>>
>>>
>>>     _______________________________________________
>>>     Simpleweb-Support mailing list
>>>     Sim...@li...  </mc/compose?to=Sim...@li...>
>>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>        
>>
>>
>>     -----Inline Attachment Follows-----
>>
>>     ------------------------------------------------------------------------------
>>     The Palm PDK Hot Apps Program offers developers who use the
>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>     of $1 Million in cash or HP Products. Visit us here for more details:
>>     http://p.sf.net/sfu/dev2dev-palm
>>
>>     -----Inline Attachment Follows-----
>>
>>     _______________________________________________
>>     Simpleweb-Support mailing list
>>     Sim...@li...
>>     </mc/compose?to=Sim...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The Palm PDK Hot Apps Program offers developers who use the
>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>> of $1 Million in cash or HP Products. Visit us here for more details:
>> http://p.sf.net/sfu/dev2dev-palm
>>
>>
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>    
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>    

Re: [Simpleweb-Support] Getting started with SSL

[Brad M. <br...@br...>]

I've checked and have the same issue with .21

I've done the same check with xlightweb and it also works on my windows 
box and fails silently on the linux server, so it is definitely 
something I'm doing wrong.

Just a couple of specific things:
  - should the ssl protocol be SSL or TLS?
  - if i've built the certificate incorrectly, should I expect to see a 
program error on startup (or at any time)?
  - should the keystore type be JKS?
  - should the keystore algorithm be SunX509?
  - do any of these vary between windows and linux?
  - should I expect the same certificate file to work on windows and linux?

Thanks in advance.

Brad

Niall Gallagher wrote:
> Hi,
>
> Are you using 4.1.21 to test HTTPS? There have been a number of bugs 
> fixed recently for HTTPS/SSL. I would advise you use 4.1.21.
>
> Niall
>
> --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>/* wrote:
>
>
>     From: Brad McEvoy <br...@br...>
>     Subject: [Simpleweb-Support] Getting started with SSL
>     To: "Simple support and user issues"
>     <sim...@li...>
>     Date: Sunday, August 1, 2010, 7:26 PM
>
>     Hi All,
>
>     I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm
>     doing something dumb but am at a loss as to where to start.
>
>     All works fine on my Windows development machine, but when I
>     deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection
>     interrupted" error in firefox. I've confirmed connectivity on port
>     443 to the server.
>
>     When using the SimpleSSLHelloWorld (adapted for my own certificate
>     and password) there is no output from logging and the handle
>     method doesnt get called.
>
>     When i modify the code to directly setup the ContainerServer in my
>     code I can see that the process method does indeed get called on
>     the ContainerServer for a https request, which then calls process
>     on the wrapped processor, but then there is no more console
>     output, there are no exceptions thrown, nothing is returned to the
>     browser and the handle method doesnt get called.
>
>     I'm a bit unsure about the ssl config. If there was a
>     configuration error, should I expect to see an error on startup?
>     Is there some particular class in simple web that I can add
>     logging to to see whats going wrong?
>
>     I've attached my slightly modified form of the SimpleSSLHelloWorld
>     and also my own implementation SslSimpletonServer, both of which
>     show the same results.
>
>     Any help would be greatly appreciated. I'm happy to the digging
>     myself but need to know where to stick my shovel!
>
>     Cheers,
>     Brad
>
>     BTW: this is all part of a project to integrate simpleweb with
>     milton (see http://milton.ettrema.com) for a very light weight
>     webdav server
>
>
>     Andrew Barlow wrote:
>>     Thanks Niall - works like a charm on Safari 5 now...
>>
>>     AndyB
>>     On 26 Jul 2010, at 20:48, Niall Gallagher wrote:
>>
>>>     Hi,
>>>
>>>     I have released 4.1.21 which fixes this issue by not requesting
>>>     client authentication. If client authentication is needed it can
>>>     be done just before the handshake begins by setting it on the
>>>     SSLEngine associated with the org.simpleframework.transport.Socket.
>>>
>>>     Regards,
>>>     Niall
>>>
>>>     --- On *Thu, 7/8/10, Andrew Barlow
>>>     /<and...@sd...
>>>     </mc/compose?to=and...@sd...>>/* wrote:
>>>
>>>
>>>         From: Andrew Barlow <and...@sd...
>>>         </mc/compose?to=and...@sd...>>
>>>         Subject: [Simpleweb-Support] SSL client certificate request:
>>>         Safari 5 problem?
>>>         To: sim...@li...
>>>         </mc/compose?to=sim...@li...>
>>>         Date: Thursday, July 8, 2010, 1:14 AM
>>>
>>>         Niall and Fabio kindly sent me links to example code for
>>>         delivering web content over SSL, see
>>>         http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
>>>         <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
>>>
>>>
>>>         As  I need to use an existing signed certificate inside a
>>>         Java keystore I've adopted/adapted Fabio's example which
>>>         reads from the keystore file.
>>>
>>>         I have set the SSLContext to "TLS".
>>>
>>>         I've tested against a keystore containing a bona-fide signed
>>>         certificate issued by Thawte and all is well across a range
>>>         of browsers: Internet Explorer on Windows and Firefox,
>>>         Opera, Chrome on Windows and Mac.
>>>
>>>         However on Safari 5 (but NOT 4) on the Mac I encounter a
>>>         message asking for a client certificate, see screenshot:
>>>         <clientcertificate.png>
>>>
>>>
>>>         Upon selecting a certificate (doesn't matter which), Safari
>>>         then gives a message:
>>>
>>>         "Safari can’t open the page “xxxx” because Safari can’t
>>>         establish a secure connection to the server “xxxx”.
>>>
>>>         On Windows behaviour is slightly different, Safari 5 simply
>>>         displays the message without prompting for client certificate.
>>>
>>>         As this works fine with other browsers, including earlier
>>>         version of Safari could this be an Safari 5 issue that needs
>>>         to be addressed by Apple?
>>>
>>>         Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>
>>>         e: and...@sd...
>>>         t: +44 (0)7830 302 268
>>>
>>>         /The information in this email or facsimile is confidential
>>>         and is intended solely for the addressee(s) and access to
>>>         this email or facsimile by anyone else is unauthorised. If
>>>         you are not the intended recipient then any disclosure,
>>>         copying, distribution or any action taken or omitted to be
>>>         taken in reliance on it, is prohibited and may be unlawful.
>>>         Information expressed in this email or facsimile is not
>>>         given or endorsed by my firm or employer unless otherwise
>>>         indicated by an authorised representative independent of
>>>         this message./
>>>
>>>
>>>         -----Inline Attachment Follows-----
>>>
>>>         ------------------------------------------------------------------------------
>>>         This SF.net <http://SF.net> email is sponsored by Sprint
>>>         What will you do first with EVO, the first 4G phone?
>>>         Visit sprint.com/first <http://sprint.com/first> --
>>>         http://p.sf.net/sfu/sprint-com-first
>>>
>>>         -----Inline Attachment Follows-----
>>>
>>>         _______________________________________________
>>>         Simpleweb-Support mailing list
>>>         Sim...@li...
>>>         https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>>
>>>     ------------------------------------------------------------------------------
>>>     The Palm PDK Hot Apps Program offers developers who use the
>>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a
>>>     share
>>>     of $1 Million in cash or HP Products. Visit us here for more
>>>     details:
>>>     http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>     http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
>>>     Simpleweb-Support mailing list
>>>     Sim...@li...
>>>     </mc/compose?to=Sim...@li...>
>>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>>     Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>
>>     e: and...@sd...
>>     </mc/compose?to=and...@sd...>
>>     t: +44 (0)7830 302 268
>>
>>     /The information in this email or facsimile is confidential and
>>     is intended solely for the addressee(s) and access to this email
>>     or facsimile by anyone else is unauthorised. If you are not the
>>     intended recipient then any disclosure, copying, distribution or
>>     any action taken or omitted to be taken in reliance on it, is
>>     prohibited and may be unlawful. Information expressed in this
>>     email or facsimile is not given or endorsed by my firm or
>>     employer unless otherwise indicated by an
>>     authorised representative independent of this message./
>>
>>
>>     ------------------------------------------------------------------------------
>>     The Palm PDK Hot Apps Program offers developers who use the
>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>     of $1 Million in cash or HP Products. Visit us here for more details:
>>     http://ad.doubleclick.net/clk;226879339;13503038;l?
>>     http://clk.atdmt.com/CRS/go/247765532/direct/01/
>>
>>
>>     _______________________________________________
>>     Simpleweb-Support mailing list
>>     Sim...@li...  </mc/compose?to=Sim...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>        
>
>
>     -----Inline Attachment Follows-----
>
>     ------------------------------------------------------------------------------
>     The Palm PDK Hot Apps Program offers developers who use the
>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>     of $1 Million in cash or HP Products. Visit us here for more details:
>     http://p.sf.net/sfu/dev2dev-palm
>
>     -----Inline Attachment Follows-----
>
>     _______________________________________________
>     Simpleweb-Support mailing list
>     Sim...@li...
>     </mc/compose?to=Sim...@li...>
>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>    

Re: [Simpleweb-Support] Getting started with SSL

[Brad M. <br...@br...>]

I'm on .20 at the moment, will have a go with .21

Niall Gallagher wrote:
> Hi,
>
> Are you using 4.1.21 to test HTTPS? There have been a number of bugs 
> fixed recently for HTTPS/SSL. I would advise you use 4.1.21.
>
> Niall
>
> --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>/* wrote:
>
>
>     From: Brad McEvoy <br...@br...>
>     Subject: [Simpleweb-Support] Getting started with SSL
>     To: "Simple support and user issues"
>     <sim...@li...>
>     Date: Sunday, August 1, 2010, 7:26 PM
>
>     Hi All,
>
>     I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm
>     doing something dumb but am at a loss as to where to start.
>
>     All works fine on my Windows development machine, but when I
>     deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection
>     interrupted" error in firefox. I've confirmed connectivity on port
>     443 to the server.
>
>     When using the SimpleSSLHelloWorld (adapted for my own certificate
>     and password) there is no output from logging and the handle
>     method doesnt get called.
>
>     When i modify the code to directly setup the ContainerServer in my
>     code I can see that the process method does indeed get called on
>     the ContainerServer for a https request, which then calls process
>     on the wrapped processor, but then there is no more console
>     output, there are no exceptions thrown, nothing is returned to the
>     browser and the handle method doesnt get called.
>
>     I'm a bit unsure about the ssl config. If there was a
>     configuration error, should I expect to see an error on startup?
>     Is there some particular class in simple web that I can add
>     logging to to see whats going wrong?
>
>     I've attached my slightly modified form of the SimpleSSLHelloWorld
>     and also my own implementation SslSimpletonServer, both of which
>     show the same results.
>
>     Any help would be greatly appreciated. I'm happy to the digging
>     myself but need to know where to stick my shovel!
>
>     Cheers,
>     Brad
>
>     BTW: this is all part of a project to integrate simpleweb with
>     milton (see http://milton.ettrema.com) for a very light weight
>     webdav server
>
>
>     Andrew Barlow wrote:
>>     Thanks Niall - works like a charm on Safari 5 now...
>>
>>     AndyB
>>     On 26 Jul 2010, at 20:48, Niall Gallagher wrote:
>>
>>>     Hi,
>>>
>>>     I have released 4.1.21 which fixes this issue by not requesting
>>>     client authentication. If client authentication is needed it can
>>>     be done just before the handshake begins by setting it on the
>>>     SSLEngine associated with the org.simpleframework.transport.Socket.
>>>
>>>     Regards,
>>>     Niall
>>>
>>>     --- On *Thu, 7/8/10, Andrew Barlow
>>>     /<and...@sd...
>>>     </mc/compose?to=and...@sd...>>/* wrote:
>>>
>>>
>>>         From: Andrew Barlow <and...@sd...
>>>         </mc/compose?to=and...@sd...>>
>>>         Subject: [Simpleweb-Support] SSL client certificate request:
>>>         Safari 5 problem?
>>>         To: sim...@li...
>>>         </mc/compose?to=sim...@li...>
>>>         Date: Thursday, July 8, 2010, 1:14 AM
>>>
>>>         Niall and Fabio kindly sent me links to example code for
>>>         delivering web content over SSL, see
>>>         http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
>>>         <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
>>>
>>>
>>>         As  I need to use an existing signed certificate inside a
>>>         Java keystore I've adopted/adapted Fabio's example which
>>>         reads from the keystore file.
>>>
>>>         I have set the SSLContext to "TLS".
>>>
>>>         I've tested against a keystore containing a bona-fide signed
>>>         certificate issued by Thawte and all is well across a range
>>>         of browsers: Internet Explorer on Windows and Firefox,
>>>         Opera, Chrome on Windows and Mac.
>>>
>>>         However on Safari 5 (but NOT 4) on the Mac I encounter a
>>>         message asking for a client certificate, see screenshot:
>>>         <clientcertificate.png>
>>>
>>>
>>>         Upon selecting a certificate (doesn't matter which), Safari
>>>         then gives a message:
>>>
>>>         "Safari can’t open the page “xxxx” because Safari can’t
>>>         establish a secure connection to the server “xxxx”.
>>>
>>>         On Windows behaviour is slightly different, Safari 5 simply
>>>         displays the message without prompting for client certificate.
>>>
>>>         As this works fine with other browsers, including earlier
>>>         version of Safari could this be an Safari 5 issue that needs
>>>         to be addressed by Apple?
>>>
>>>         Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>
>>>         e: and...@sd...
>>>         t: +44 (0)7830 302 268
>>>
>>>         /The information in this email or facsimile is confidential
>>>         and is intended solely for the addressee(s) and access to
>>>         this email or facsimile by anyone else is unauthorised. If
>>>         you are not the intended recipient then any disclosure,
>>>         copying, distribution or any action taken or omitted to be
>>>         taken in reliance on it, is prohibited and may be unlawful.
>>>         Information expressed in this email or facsimile is not
>>>         given or endorsed by my firm or employer unless otherwise
>>>         indicated by an authorised representative independent of
>>>         this message./
>>>
>>>
>>>         -----Inline Attachment Follows-----
>>>
>>>         ------------------------------------------------------------------------------
>>>         This SF.net <http://SF.net> email is sponsored by Sprint
>>>         What will you do first with EVO, the first 4G phone?
>>>         Visit sprint.com/first <http://sprint.com/first> --
>>>         http://p.sf.net/sfu/sprint-com-first
>>>
>>>         -----Inline Attachment Follows-----
>>>
>>>         _______________________________________________
>>>         Simpleweb-Support mailing list
>>>         Sim...@li...
>>>         https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>>
>>>     ------------------------------------------------------------------------------
>>>     The Palm PDK Hot Apps Program offers developers who use the
>>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a
>>>     share
>>>     of $1 Million in cash or HP Products. Visit us here for more
>>>     details:
>>>     http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>     http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
>>>     Simpleweb-Support mailing list
>>>     Sim...@li...
>>>     </mc/compose?to=Sim...@li...>
>>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>>     Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>
>>     e: and...@sd...
>>     </mc/compose?to=and...@sd...>
>>     t: +44 (0)7830 302 268
>>
>>     /The information in this email or facsimile is confidential and
>>     is intended solely for the addressee(s) and access to this email
>>     or facsimile by anyone else is unauthorised. If you are not the
>>     intended recipient then any disclosure, copying, distribution or
>>     any action taken or omitted to be taken in reliance on it, is
>>     prohibited and may be unlawful. Information expressed in this
>>     email or facsimile is not given or endorsed by my firm or
>>     employer unless otherwise indicated by an
>>     authorised representative independent of this message./
>>
>>
>>     ------------------------------------------------------------------------------
>>     The Palm PDK Hot Apps Program offers developers who use the
>>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>     of $1 Million in cash or HP Products. Visit us here for more details:
>>     http://ad.doubleclick.net/clk;226879339;13503038;l?
>>     http://clk.atdmt.com/CRS/go/247765532/direct/01/
>>
>>
>>     _______________________________________________
>>     Simpleweb-Support mailing list
>>     Sim...@li...  </mc/compose?to=Sim...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>        
>
>
>     -----Inline Attachment Follows-----
>
>     ------------------------------------------------------------------------------
>     The Palm PDK Hot Apps Program offers developers who use the
>     Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>     of $1 Million in cash or HP Products. Visit us here for more details:
>     http://p.sf.net/sfu/dev2dev-palm
>
>     -----Inline Attachment Follows-----
>
>     _______________________________________________
>     Simpleweb-Support mailing list
>     Sim...@li...
>     </mc/compose?to=Sim...@li...>
>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>    

Re: [Simpleweb-Support] Getting started with SSL

[Niall G. <gal...@ya...>]

Hi,

Are you using 4.1.21 to test HTTPS? There have been a number of bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21.

Niall

--- On Sun, 8/1/10, Brad McEvoy <br...@br...> wrote:

From: Brad McEvoy <br...@br...>
Subject: [Simpleweb-Support] Getting started with SSL
To: "Simple support and user issues" <sim...@li...>
Date: Sunday, August 1, 2010, 7:26 PM





  
Hi All,



I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm doing
something dumb but am at a loss as to where to start.



All works fine on my Windows development machine, but when I deploy to
an Ubuntu server (Sun VM 1.6) I get a "Connection interrupted" error in
firefox. I've confirmed connectivity on port 443 to the server.



When using the SimpleSSLHelloWorld (adapted for my own certificate and
password) there is no output from logging and the handle method doesnt
get called.



When i modify the code to directly setup the ContainerServer in my code
I can see that the process method does indeed get called on the
ContainerServer for a https request, which then calls process on the
wrapped processor, but then there is no more console output, there are
no exceptions thrown, nothing is returned to the browser and the handle
method doesnt get called.



I'm a bit unsure about the ssl config. If there was a configuration
error, should I expect to see an error on startup? Is there some
particular class in simple web that I can add logging to to see whats
going wrong?



I've attached my slightly modified form of the SimpleSSLHelloWorld and
also my own implementation SslSimpletonServer, both of which show the
same results.



Any help would be greatly appreciated. I'm happy to the digging myself
but need to know where to stick my shovel!



Cheers,

Brad



BTW: this is all part of a project to integrate simpleweb with milton
(see http://milton.ettrema.com) for a very light weight webdav server





Andrew Barlow wrote:
Thanks Niall - works like a charm on Safari 5 now...
  

  
  AndyB

  
  On 26 Jul 2010, at 20:48, Niall Gallagher wrote:
  

  
    
      
        
          Hi,

          

I have released 4.1.21 which fixes this issue by not requesting client
authentication. If client authentication is needed it can be done just
before the handshake begins by setting it on the SSLEngine associated
with the org.simpleframework.transport.Socket.

          

Regards,

Niall

          

--- On Thu, 7/8/10, Andrew Barlow <and...@sd...>
wrote:

          

From: Andrew Barlow <and...@sd...>

Subject: [Simpleweb-Support] SSL client certificate request: Safari 5
problem?

To: sim...@li...

Date: Thursday, July 8, 2010, 1:14 AM

            

            Niall and Fabio kindly sent me links
to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support.
            

            
            As  I need to use an existing signed certificate
inside a Java keystore I've adopted/adapted Fabio's example which reads
from the keystore file.
            

            
            I have set the SSLContext to "TLS".
            

            
            I've tested against a keystore containing a bona-fide
signed certificate issued by Thawte and all is well across a range of
browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on
Windows and Mac.
            

            
            However on Safari 5 (but NOT 4) on the Mac I encounter
a message asking for a client certificate, see screenshot:
            <clientcertificate.png>
            

            
            

            
            Upon selecting a certificate (doesn't matter which),
Safari then gives a message:
            

            
            "Safari can’t open the page “xxxx” because Safari
can’t establish a secure connection to the server “xxxx”.
            

            
            On Windows behaviour is slightly different, Safari 5
simply displays the message without prompting for client certificate.
            

            
            As this works fine with other browsers, including
earlier version of Safari could this be an Safari 5 issue that needs to
be addressed by Apple?
            

            
            Andy Barlow - Chief Technology Officer - MBCS CENG
EURING CITP 
            
            
            

            e: and...@sd...
            t: +44
(0)7830 302 268

            

            The information in this email or facsimile
is confidential and is intended solely for the addressee(s) and access
to this email or facsimile by anyone else is unauthorised. If you are
not the intended recipient then any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is
prohibited and may be unlawful. Information expressed in this email or
facsimile is not given or endorsed by my firm or employer unless
otherwise indicated by an authorised representative independent of this
message.
            
            
            

            
            
            

-----Inline Attachment Follows-----

            

            ------------------------------------------------------------------------------

This SF.net email
is sponsored by Sprint

What will you do first with EVO, the first 4G phone?

Visit sprint.com/first
-- http://p.sf.net/sfu/sprint-com-first
            

-----Inline Attachment Follows-----

            

            _______________________________________________

Simpleweb-Support mailing list

            Sim...@li...

            https://lists.sourceforge.net/lists/listinfo/simpleweb-support

            
          
          
        
      
    
    

------------------------------------------------------------------------------

The Palm PDK Hot Apps Program offers developers who use the

Plug-In Development Kit to bring their C/C++ apps to Palm for a share 

of $1 Million in cash or HP Products. Visit us here for more details:

    http://ad.doubleclick.net/clk;226879339;13503038;l?

http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________

Simpleweb-Support mailing list

Sim...@li...

https://lists.sourceforge.net/lists/listinfo/simpleweb-support

  
  
  

  
  Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 

  

  e: and...@sd...
  t: +44 (0)7830 302 268

  

  The information
in this email or facsimile is confidential and is intended solely for
the addressee(s) and access to this email or facsimile by anyone else
is unauthorised. If you are not the intended recipient then any
disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful. Information
expressed in this email or facsimile is not given or endorsed by my
firm or employer unless otherwise indicated by an
authorised representative independent of this message.
  
  
  

  
  
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/
  
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support
  



 

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
-----Inline Attachment Follows-----

_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

[Simpleweb-Support] Getting started with SSL

[Brad M. <br...@br...>]

package com.ettrema.berry.simple;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;

import org.simpleframework.http.Request;
import org.simpleframework.http.Response;
import org.simpleframework.http.core.Container;
import org.simpleframework.transport.connect.Connection;
import org.simpleframework.transport.connect.SocketConnection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 *
 * @author brad
 */
public class SimpleSSLHelloWorld implements Container{

    private static final Logger log = LoggerFactory.getLogger(SimpleSSLHelloWorld.class);

    public static int count = 0;

    public static String EMTPY_STRING = "";


    public static String KEYSTORE_PROPERTY = "javax.net.ssl.keyStore";

    public static String KEYSTORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";

    public static String KEYSTORE_TYPE_PROPERTY = "javax.net.ssl.keyStoreType";

    public static String KEYSTORE_ALIAS_PROPERTY = "javax.net.ssl.keyStoreAlias";

    public int serverPort = 443;

    private String keystore;

    private String password;

    public SimpleSSLHelloWorld(int serverPort, String keystore, String password) throws Exception {
        // System.setProperty("javax.net.debug", "all");
        setServerPort( serverPort );
        setKeystore( keystore );
        setPassword( password );

        SocketAddress address = new InetSocketAddress(serverPort);

        SSLContext sslContext = SimpleSSLHelloWorld.createSSLContext();

        SocketConnection connectionHttps = new SocketConnection(this);
        connectionHttps.connect(address, sslContext);

        System.out.println("Simple Server started on port: " + serverPort);
    }

    public int getServerPort() {
        return serverPort;
    }

    public void setServerPort( int serverPort ) {
        this.serverPort = serverPort;
    }


    public String getKeystore() {
        return keystore;
    }

    public void setKeystore( String keystore ) {
        this.keystore = keystore;
        System.setProperty(SimpleSSLHelloWorld.KEYSTORE_PROPERTY, keystore); //"C:\\keystores\\proxy.keystore");
    }

    public String getPassword() {
        return password;
    }

    public void setPassword( String password ) {
        this.password = password;
        System.setProperty(SimpleSSLHelloWorld.KEYSTORE_PASSWORD_PROPERTY, password); // "proxypasswd");
    }
        


    public void handle(final Request request, final Response response) {
        log.debug( "handle");
        try {
            SimpleSSLHelloWorld.logRequest(request);

            SimpleSSLHelloWorld.dummyResponse(response);

            SimpleSSLHelloWorld.logResponse(response);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static SSLContext createSSLContext() throws Exception {
        log.debug( "createSSLContext");
        String keyStoreFile = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_PROPERTY);
        String keyStorePassword = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_PASSWORD_PROPERTY,
                SimpleSSLHelloWorld.EMTPY_STRING);
        String keyStoreType = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_TYPE_PROPERTY, KeyStore.getDefaultType());

        KeyStore keyStore = SimpleSSLHelloWorld.loadKeyStore(keyStoreFile, keyStorePassword, null);
        FileInputStream keyStoreFileInpuStream = null;
        try {
            if (keyStoreFile != null) {
                keyStoreFileInpuStream = new FileInputStream(keyStoreFile);

                keyStore = KeyStore.getInstance(keyStoreType);
                keyStore.load(keyStoreFileInpuStream, keyStorePassword.toCharArray());
            }
        } finally {
            if (keyStoreFileInpuStream != null) {
                keyStoreFileInpuStream.close();
            }
        }

        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());

        SSLContext sslContext = SSLContext.getInstance("SSL");
        // sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[]{new NaiveX509TrustManager()}, null);
        sslContext.init(keyManagerFactory.getKeyManagers(), null, null);

        return sslContext;
    }

    public static KeyStore loadKeyStore(final String keyStoreFilePath, final String keyStorePassword,
            final String keyStoreType) throws Exception {
        KeyStore keyStore = null;
        File keyStoreFile = new File(keyStoreFilePath);

        if (keyStoreFile.isFile()) {
            keyStore = KeyStore.getInstance(keyStoreType != null ? keyStoreType : KeyStore.getDefaultType());
            keyStore.load(new FileInputStream(keyStoreFile), keyStorePassword != null ? keyStorePassword
                    .toCharArray() : SimpleSSLHelloWorld.EMTPY_STRING.toCharArray());
        }

        return keyStore;
    }

    public static void logRequest(final Request request) throws IOException {
        StringBuilder builder = new StringBuilder();

        builder.append(">>> REQUEST\n");
        builder.append(request);
        builder.append(request.getContent());

        System.out.println(builder);
    }

    public static void logResponse(final Response response) throws IOException {
        StringBuilder builder = new StringBuilder();

        builder.append("<<< RESPONSE\n");
        builder.append(response);

        if (response.getContentLength() > 0) {
            builder.append("... ").append(response.getContentLength()).append(" bytes ...\n");
        }

        System.out.println(builder);
    }

    public static void dummyResponse(final Response response) throws IOException {
        PrintStream body = response.getPrintStream();
        long time = System.currentTimeMillis();

        response.set("Content-Type", "text/plain");
        response.set("Server", "SSL HelloWorld/1.0 (Simple 4.0)");
        response.setDate("Date", time);
        response.setDate("Last-Modified", time);

        body.println("Hello World: " + ++SimpleSSLHelloWorld.count);
        body.close();
    }
}

Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

[Andrew B. <and...@sd...>]

Thanks Niall - works like a charm on Safari 5 now...

AndyB
On 26 Jul 2010, at 20:48, Niall Gallagher wrote:

> Hi,
> 
> I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket.
> 
> Regards,
> Niall
> 
> --- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote:
> 
> From: Andrew Barlow <and...@sd...>
> Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?
> To: sim...@li...
> Date: Thursday, July 8, 2010, 1:14 AM
> 
> Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support.
> 
> As  I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file.
> 
> I have set the SSLContext to "TLS".
> 
> I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.
> 
> However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot:
> <clientcertificate.png>
> 
> 
> Upon selecting a certificate (doesn't matter which), Safari then gives a message:
> 
> "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”.
> 
> On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate.
> 
> As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple?
> 
> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 
> 
> e: and...@sd...
> t: +44 (0)7830 302 268
> 
> The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.
> 
> 
> -----Inline Attachment Follows-----
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> 
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share 
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 

e: and...@sd...
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

[Niall G. <gal...@ya...>]

Hi,

I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket.

Regards,
Niall

--- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote:

From: Andrew Barlow <and...@sd...>
Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?
To: sim...@li...
Date: Thursday, July 8, 2010, 1:14 AM

Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support.
As  I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file.
I have set the SSLContext to "TLS".
I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.
However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot:

Upon selecting a certificate (doesn't matter which), Safari then gives a message:
"Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”.
On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate.
As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple?
Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 
e: and...@sd...t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.



-----Inline Attachment Follows-----

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
-----Inline Attachment Follows-----

_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support



      

Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

[<nia...@rb...>]

Hi,

I am removing this from the Handshake as it is not required, in future implementations wanting client authentication will have to intercept the SSLEngine in the transport layer to set the value. This allows for customization without forcing the client to ask for the certificate. This should be released this week some time.

Niall  

-----Original Message-----
From: Bruno Harbulot [mailto:Bru...@ma...] 
Sent: 09 July 2010 10:05
To: Andrew Barlow
Cc: GALLAGHER, Niall, GBM
Subject: Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

Hi,

setWantClientAuth(true) is hard-coded in org.simpleframework.transport.Handshake (run() method): 
http://www.simpleframework.org/doc/source/org.simpleframework.transport.Handshake.html

There would need to be a way to pass a parameter there, I'm not sure how.

Best wishes,

Bruno.


On 09/07/2010 09:52, Andrew Barlow wrote:
> Thanks Bruno
>
> I don't need to authenticate the client certificate.
>
> Do you know of any way to switch this off in Simple?
>
> AndyB
>
> On 8 Jul 2010, at 23:57, Bruno Harbulot wrote:
>
>> Hi,
>>
>> SimpleWeb always requests (but doesn't require) a client certificate 
>> during the SSL handshake.
>>
>> Safari's client-certificate mechanism was broken (it wouldn't prompt 
>> when it should have) so that's probably why the message didn't appear 
>> in version 4. I guess this has been fixed in Safari 5 (but I haven't 
>> tried).
>>
>> For the certificate to be accepted, it would need to be verifiable by 
>> the server, so its emitter (or something higher up in the chain) 
>> should be in the server's trust store.
>>
>> If you're not really using client-certificate authentication and 
>> seeing this only as a side-effect of SimpleWeb requesting a client 
>> certificate by default (I think it's hard-coded in fact), I'd suggest 
>> clicking on Cancel rather than choosing a certificate. This shouldn't 
>> send a client-cert and thus the server wouldn't have to verify it.
>>
>>
>> Best wishes,
>>
>> Bruno.
>>
>>
>>
>> On 08/07/2010 10:14, Andrew Barlow wrote:
>>> Niall and Fabio kindly sent me links to example code for delivering 
>>> web content over SSL, see 
>>> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2L
>>> qrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpl
>>> eweb-support 
>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2
>>> LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simp
>>> leweb-support> 
>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2
>>> LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simp
>>> leweb-support 
>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>>.
>>>
>>> As I need to use an existing signed certificate inside a Java 
>>> keystore I've adopted/adapted Fabio's example which reads from the keystore file.
>>>
>>> I have set the SSLContext to "TLS".
>>>
>>> I've tested against a keystore containing a bona-fide signed 
>>> certificate issued by Thawte and all is well across a range of 
>>> browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.
>>>
>>> However on Safari 5 (but NOT 4) on the Mac I encounter a message 
>>> asking for a client certificate, see screenshot:
>>>
>>>
>>> Upon selecting a certificate (doesn't matter which), Safari then 
>>> gives a
>>> message:
>>>
>>> "Safari can't open the page "xxxx" because Safari can't establish a 
>>> secure connection to the server "xxxx".
>>>
>>> On Windows behaviour is slightly different, Safari 5 simply displays 
>>> the message without prompting for client certificate.
>>>
>>> As this works fine with other browsers, including earlier version of 
>>> Safari could this be an Safari 5 issue that needs to be addressed by 
>>> Apple?
>>>
>>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>
>>> e: and...@sd... 
>>> <mailto:and...@sd...>
>>> <mailto:and...@sd...>
>>> t: +44 (0)7830 302 268
>
> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>
> e: and...@sd... <mailto:and...@sd...>
> t: +44 (0)7830 302 268
>
> /The information in this email or facsimile is confidential and is 
> intended solely for the addressee(s) and access to this email or 
> facsimile by anyone else is unauthorised. If you are not the intended 
> recipient then any disclosure, copying, distribution or any action 
> taken or omitted to be taken in reliance on it, is prohibited and may 
> be unlawful. Information expressed in this email or facsimile is not 
> given or endorsed by my firm or employer unless otherwise indicated by 
> an authorised representative independent of this message./
>

***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************

Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

[<nia...@rb...>]

Hi,

Currently this is hardcoded in the handshake as setWantClientAuth, it should really be configurable. I will add better configuration options in the next release. You can override this in a hacky kind of way. To do this you would need to wrap the SSLEngine for the org.simpleframework.transport.Socket in your own SSLEngine like so.

public class MySSLEngineWrapper extends SSLEngine {
   private final SSLEngine realEngine;
   // .. add proxy methods that delegate to the realEngine here
   public void setWantClientAuth(boolean value) {
      realEngine.setWantClientAuth(false); // here wa set false always because we do not want auth
   }
}

This should work, but its a bit ugly.

Niall

Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454



________________________________
From: Andrew Barlow [mailto:and...@sd...]
Sent: 09 July 2010 08:53
To: Bruno Harbulot
Cc: GALLAGHER, Niall, GBM
Subject: Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

Thanks Bruno

I don't need to authenticate the client certificate.

Do you know of any way to switch this off in Simple?

AndyB

On 8 Jul 2010, at 23:57, Bruno Harbulot wrote:

Hi,

SimpleWeb always requests (but doesn't require) a client certificate during the SSL handshake.

Safari's client-certificate mechanism was broken (it wouldn't prompt when it should have) so that's probably why the message didn't appear in version 4. I guess this has been fixed in Safari 5 (but I haven't tried).

For the certificate to be accepted, it would need to be verifiable by the server, so its emitter (or something higher up in the chain) should be in the server's trust store.

If you're not really using client-certificate authentication and seeing this only as a side-effect of SimpleWeb requesting a client certificate by default (I think it's hard-coded in fact), I'd suggest clicking on Cancel rather than choosing a certificate. This shouldn't send a client-cert and thus the server wouldn't have to verify it.


Best wishes,

Bruno.



On 08/07/2010 10:14, Andrew Barlow wrote:
Niall and Fabio kindly sent me links to example code for delivering web
content over SSL, see
http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
<http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.

As I need to use an existing signed certificate inside a Java keystore
I've adopted/adapted Fabio's example which reads from the keystore file.

I have set the SSLContext to "TLS".

I've tested against a keystore containing a bona-fide signed certificate
issued by Thawte and all is well across a range of browsers: Internet
Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.

However on Safari 5 (but NOT 4) on the Mac I encounter a message asking
for a client certificate, see screenshot:


Upon selecting a certificate (doesn't matter which), Safari then gives a
message:

"Safari can't open the page "xxxx" because Safari can't establish a
secure connection to the server "xxxx".

On Windows behaviour is slightly different, Safari 5 simply displays the
message without prompting for client certificate.

As this works fine with other browsers, including earlier version of
Safari could this be an Safari 5 issue that needs to be addressed by Apple?

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP

e: and...@sd...<mailto:and...@sd...> <mailto:and...@sd...>
t: +44 (0)7830 302 268

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP

e: and...@sd...<mailto:and...@sd...>
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.


***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************

Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?

[Bruno H. <Bru...@ma...>]

Hi,

SimpleWeb always requests (but doesn't require) a client certificate 
during the SSL handshake.

Safari's client-certificate mechanism was broken (it wouldn't prompt 
when it should have) so that's probably why the message didn't appear in 
version 4. I guess this has been fixed in Safari 5 (but I haven't tried).

For the certificate to be accepted, it would need to be verifiable by 
the server, so its emitter (or something higher up in the chain) should 
be in the server's trust store.

If you're not really using client-certificate authentication and seeing 
this only as a side-effect of SimpleWeb requesting a client certificate 
by default (I think it's hard-coded in fact), I'd suggest clicking on 
Cancel rather than choosing a certificate. This shouldn't send a 
client-cert and thus the server wouldn't have to verify it.


Best wishes,

Bruno.



On 08/07/2010 10:14, Andrew Barlow wrote:
> Niall and Fabio kindly sent me links to example code for delivering web
> content over SSL, see
> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
>
> As I need to use an existing signed certificate inside a Java keystore
> I've adopted/adapted Fabio's example which reads from the keystore file.
>
> I have set the SSLContext to "TLS".
>
> I've tested against a keystore containing a bona-fide signed certificate
> issued by Thawte and all is well across a range of browsers: Internet
> Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.
>
> However on Safari 5 (but NOT 4) on the Mac I encounter a message asking
> for a client certificate, see screenshot:
>
>
> Upon selecting a certificate (doesn't matter which), Safari then gives a
> message:
>
> "Safari can’t open the page “xxxx” because Safari can’t establish a
> secure connection to the server “xxxx”.
>
> On Windows behaviour is slightly different, Safari 5 simply displays the
> message without prompting for client certificate.
>
> As this works fine with other browsers, including earlier version of
> Safari could this be an Safari 5 issue that needs to be addressed by Apple?
>
> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>
> e: and...@sd... <mailto:and...@sd...>
> t: +44 (0)7830 302 268

Re: [Simpleweb-Support] Outputing MJPEG

[<nia...@rb...>]

I would say create the server to use only a small amount of threads then hand off the task to a separate thread like so.

public void handle(final Request req, final Response resp) {
   threadPool.execute(new Runnable() {
      public void run() {
         try {
            streamVideo(req, resp);
            resp.close();
         } catch(Exception e) { 
            log.report(e);
         }
      }
   });
}

Here you ensure that regardless of the number of threads being used by the server, you can handle any number of live video streams by providing a thread pool to service the streams.

Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454   

-----Original Message-----
From: Farhad [mailto:xa...@gm...] 
Sent: 08 July 2010 10:42
To: Simple support and user issues
Subject: Re: [Simpleweb-Support] Outputing MJPEG

Thanks might, that worked like a charm.

The client is a standard web browser.

I wonder though, is it ok to use the same thread created by Simple to do the output, since it will get busy for a long time.

Thanks

7 jul 2010 kl. 18.00 skrev <nia...@rb...> <nia...@rb...>:

> 
> What is the client? Is it a HTTP client? If you do not specify a content length the Simple will send it as chunked encoded which a HTTP/1.1 client should be able to support. 
> 
> If you want no processing then you can set to connection close semantics like so.
> 
> resp.set("Connection", close")
> 
> This will mean there is no modification of the response, and the connection is closed only if you invoke the OutputStream.close().
> 
> 
> 
> Niall Gallagher
> RBS Global Banking & Markets
> Office: +44 2070851454   
> 
> -----Original Message-----
> From: Farhad [mailto:xa...@gm...]
> Sent: 07 July 2010 12:07
> To: sim...@li...
> Subject: [Simpleweb-Support] Outputing MJPEG
> 
> Hi,
> 
> We would like to use Simple to receive a HTTP request with a Container and extract the OutputStream, which we then use to output a live multipart MJPG video stream.
> 
> When this is done using a plain java ServerSocket the browser has no problem with displaying the video. However this is not the case when using Simple.
> 
> Obviously Simple parses the output and modifies it according to HTTP standards. Is there a way to get the actual socket outputstream in a Container (and possibly pass it over to another thread) and then prevent Simple from closing it or processing it?
> 
> Thanks
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Sprint What will you do 
> first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> 
> **********************************************************************
> ************* The Royal Bank of Scotland plc. Registered in Scotland 
> No 90312.
> Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
> Authorised and regulated by the Financial Services Authority. The 
> Royal Bank of Scotland N.V. is authorised and regulated by the De 
> Nederlandsche Bank and has its seat at Amsterdam, the Netherlands, and 
> is registered in the Commercial Register under number 33002587. 
> Registered Office: Gustav Mahlerlaan 10, Amsterdam, The Netherlands. 
> The Royal Bank of Scotland N.V. and The Royal Bank of Scotland plc are 
> authorised to act as agent for each other in certain jurisdictions.
> 
> This e-mail message is confidential and for use by the addressee only.
> If the message is received by anyone other than the addressee, please 
> return the message to the sender by replying to it and then delete the 
> message from your computer. Internet e-mails are not necessarily 
> secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
> N.V. including its affiliates ("RBS group") does not accept 
> responsibility for changes made to this message after it was sent.
> 
> Whilst all reasonable care has been taken to avoid the transmission of 
> viruses, it is the responsibility of the recipient to ensure that the 
> onward transmission, opening or use of this message and any 
> attachments will not adversely affect its systems or data. No 
> responsibility is accepted by the RBS group in this regard and the 
> recipient should carry out such virus and other checks as it considers appropriate.
> 
> Visit our website at www.rbs.com
> 
> **********************************************************************
> *************
> 
> 
> ----------------------------------------------------------------------
> -------- This SF.net email is sponsored by Sprint What will you do 
> first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support

Re: [Simpleweb-Support] Outputing MJPEG

[Farhad <xa...@gm...>]

Thanks might, that worked like a charm.

The client is a standard web browser.

I wonder though, is it ok to use the same thread created by Simple to do the output, since it will get busy for a long time.

Thanks

7 jul 2010 kl. 18.00 skrev <nia...@rb...> <nia...@rb...>:

> 
> What is the client? Is it a HTTP client? If you do not specify a content length the Simple will send it as chunked encoded which a HTTP/1.1 client should be able to support. 
> 
> If you want no processing then you can set to connection close semantics like so.
> 
> resp.set("Connection", close")
> 
> This will mean there is no modification of the response, and the connection is closed only if you invoke the OutputStream.close().
> 
> 
> 
> Niall Gallagher
> RBS Global Banking & Markets
> Office: +44 2070851454   
> 
> -----Original Message-----
> From: Farhad [mailto:xa...@gm...] 
> Sent: 07 July 2010 12:07
> To: sim...@li...
> Subject: [Simpleweb-Support] Outputing MJPEG
> 
> Hi,
> 
> We would like to use Simple to receive a HTTP request with a Container and extract the OutputStream, which we then use to output a live multipart MJPG video stream.
> 
> When this is done using a plain java ServerSocket the browser has no problem with displaying the video. However this is not the case when using Simple.
> 
> Obviously Simple parses the output and modifies it according to HTTP standards. Is there a way to get the actual socket outputstream in a Container (and possibly pass it over to another thread) and then prevent Simple from closing it or processing it?
> 
> Thanks
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> 
> ***********************************************************************************
> The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
> Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
> Authorised and regulated by the Financial Services Authority. The
> Royal Bank of Scotland N.V. is authorised and regulated by the 
> De Nederlandsche Bank and has its seat at Amsterdam, the 
> Netherlands, and is registered in the Commercial Register under 
> number 33002587. Registered Office: Gustav Mahlerlaan 10, 
> Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
> The Royal Bank of Scotland plc are authorised to act as agent for each 
> other in certain jurisdictions.
> 
> This e-mail message is confidential and for use by the addressee only.
> If the message is received by anyone other than the addressee, please 
> return the message to the sender by replying to it and then delete the 
> message from your computer. Internet e-mails are not necessarily 
> secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
> N.V. including its affiliates ("RBS group") does not accept responsibility 
> for changes made to this message after it was sent. 
> 
> Whilst all reasonable care has been taken to avoid the transmission of 
> viruses, it is the responsibility of the recipient to ensure that the onward
> transmission, opening or use of this message and any attachments will 
> not adversely affect its systems or data. No responsibility is accepted 
> by the RBS group in this regard and the recipient should carry out such 
> virus and other checks as it considers appropriate. 
> 
> Visit our website at www.rbs.com
> 
> ***********************************************************************************
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support

[Simpleweb-Support] SSL client certificate request: Safari 5 problem?

[Andrew B. <and...@sd...>]

Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support.

As  I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file.

I have set the SSLContext to "TLS".

I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.

However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot:



Upon selecting a certificate (doesn't matter which), Safari then gives a message:

"Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”.

On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate.

As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple?

Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP 

e: and...@sd...
t: +44 (0)7830 302 268

The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.

Re: [Simpleweb-Support] Outputing MJPEG

[<nia...@rb...>]

 
What is the client? Is it a HTTP client? If you do not specify a content length the Simple will send it as chunked encoded which a HTTP/1.1 client should be able to support. 

If you want no processing then you can set to connection close semantics like so.

resp.set("Connection", close")

This will mean there is no modification of the response, and the connection is closed only if you invoke the OutputStream.close().



Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454   

-----Original Message-----
From: Farhad [mailto:xa...@gm...] 
Sent: 07 July 2010 12:07
To: sim...@li...
Subject: [Simpleweb-Support] Outputing MJPEG

Hi,

We would like to use Simple to receive a HTTP request with a Container and extract the OutputStream, which we then use to output a live multipart MJPG video stream.

When this is done using a plain java ServerSocket the browser has no problem with displaying the video. However this is not the case when using Simple.

Obviously Simple parses the output and modifies it according to HTTP standards. Is there a way to get the actual socket outputstream in a Container (and possibly pass it over to another thread) and then prevent Simple from closing it or processing it?

Thanks
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Simpleweb-Support mailing list
Sim...@li...
https://lists.sourceforge.net/lists/listinfo/simpleweb-support

***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 10, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions.
 
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com

***********************************************************************************