Thread: [Simpleweb-Support] SSL problem
Brought to you by:
niallg
Menu
▾
▴
simpleweb-support
|
From: Martin N. <mar...@gm...> - 2005-10-18 10:16:42
|
While using simpleweb with SSL on a Java5 platform i consistently get the following client error from time to time: javax.net.ssl.SSLException: Received fatal alert: unexpected_message and i get a broken pipe exception at the server side. Do you have any special recommendations on how to use SimpleWeb in an SSL environment? Should i use some kind of OpenSSL wrapper instread of JSSE? /Martin |
|
From: Niall G. <gal...@ya...> - 2005-10-19 19:50:27
|
Hi Martin, I have used SSL quite frequently in Java 4, and never encountered this problem. Although I can say that the broken pipe you see on the server side indicates that it is the client that is closing the socket. If the client is closing the connection then there is misconfiguration of the SSL socket. SSL is intependant from HTTP, so I can't really say whats happening. However, I can imagine that if you are using a self signed certificate and are prompted to accept from your browser this can take about 5 to 10 seconds, and in the meantime there could be a premature close of the socket before the SSL handshake protocol has finished. If there is a premature closure (which is probably not the case as you see "broken pipe" messages) I would recommend that you increase the timeout that Simple is using. To do this make sure the simple.http.poller=simple.http.GranularPoller. You can set this with a -D parameter like so: java -Dsimple.http.poller=simple.http.GranularPoller I hope this solves your problem, or at least helps? Niall --- Martin Norrsken <mar...@gm...> wrote: > While using simpleweb with SSL on a Java5 platform i > consistently get > the following client error from time to time: > > javax.net.ssl.SSLException: Received fatal alert: > unexpected_message > > and i get a broken pipe exception at the server > side. > > Do you have any special recommendations on how to > use SimpleWeb in an > SSL environment? Should i use some kind of OpenSSL > wrapper instread of > JSSE? > > /Martin > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, > downloads, discussions, > and more. > http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > Niall Gallagher __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs |
|
From: Martin N. <mar...@gm...> - 2005-10-20 06:20:48
|
On 10/19/05, Niall Gallagher <gal...@ya...> wrote:
> Hi Martin,
>
> I have used SSL quite frequently in Java 4, and never
> encountered this problem. Although I can say that the
> broken pipe you see on the server side indicates that
> it is the client that is closing the socket.
The client is probably closing the connection because it gets an SSL
"unexpected_message" from the server. Also I only get this error
intermittently, but NOT when i'm using javax.net.debug=3Dall (probably
as this slows down the process considerably).
>
> If the client is closing the connection then there is
> misconfiguration of the SSL socket. SSL is intependant
> from HTTP, so I can't really say whats happening.
This is what I'm at too. Here's parts of my socket and simpleweb
initialization code:
--------------------
=09public static void init() {
=09=09try {
=09=09=09Configuration conf =3D Configuration.getInstance();
=09=09=09System.setProperty("javax.net.ssl.trustStore",conf.getKeystore());
=09=09=09System.setProperty("javax.net.ssl.trustStorePassword",conf.getKeys=
torePassword());
=09=09=09engine =3D new LoaderEngine();
=09=09=09engine.load("logout","norrsken.jcas.web.LogoutService");
=09=09=09engine.load("login","norrsken.jcas.web.LoginService");
=09=09=09engine.load("success","norrsken.jcas.web.SuccessService");
=09=09=09engine.load("validate","norrsken.jcas.web.ValidateService");
=09=09=09engine.load("admin","norrsken.jcas.web.AdminService");
=09=09=09engine.link("/admin","admin");
=09=09=09engine.link("/login","login");
=09=09=09engine.link("/loginForm","login");
=09=09=09engine.link("/logout","logout");
=09=09=09engine.link("/success","success");
=09=09=09engine.link("/validate","validate");
=09=09=09WebPageService.register(engine);
=09=09=09try {
=09=09=09=09System.setErr(new PrintStream(new
DoubleOutputStream(System.err,new
FileOutputStream(conf.getTraceFile()))));
=09=09=09} catch(Exception e) {
=09=09=09=09e.printStackTrace();
=09=09=09=09System.exit(1);
=09=09=09}
=09=09=09
=09=09=09ProtocolHandler handler =3D ProtocolHandlerFactory.getInstance(eng=
ine);
=09=09=09Connection connection =3D ConnectionFactory.getConnection(handler)=
;
=09=09=09
=09=09=09s =3D createSocket(conf.getKeystore(),conf.getKeystorePassword(),c=
onf.getPort());
=09=09=09
=09=09=09connection.connect(s);
=09=09
=09=09} catch (Exception e) {
=09=09=09e.printStackTrace();
=09=09}
=09=09
=09}
=09public static SSLServerSocket createSocket(String ksName, String
ksPass, int port) throws Exception {
=09=09char tksPass[] =3D ksPass.toCharArray();
=09=09char tctPass[] =3D ksPass.toCharArray();
=09=09KeyStore ks =3D KeyStore.getInstance("JKS");
=09=09ks.load(new FileInputStream(ksName), tksPass);
=09=09KeyManagerFactory kmf =3D KeyManagerFactory.getInstance("SunX509");
=09=09kmf.init(ks, tctPass);
=09=09
=09=09SSLContext sc =3D SSLContext.getInstance("TLS");
=09=09sc.init(kmf.getKeyManagers(), null, null);
=09=09SSLServerSocketFactory ssf =3D sc.getServerSocketFactory();
=09=09
=09=09SSLServerSocket ssls =3D (SSLServerSocket) ssf.createServerSocket(por=
t);
=09=09//ssls.setEnabledProtocols(new String[]{"SSLv3","TLSv1"});
=09=09return ssls;
=09}
------------------
Also, i use this code to wrap my handlers:
------------------
public abstract class ExtendedService extends BasicService {
=09public ExtendedService(Context ctx) {
=09=09super(ctx);
=09}
=09public void handle(final Request req, final Response resp) {
=09=09try {
=09=09=09if(!resp.isCommitted()) resp.reset(); // Tried adding this
=09=09=09resp.setDate("Date",System.currentTimeMillis());
=09=09=09resp.set("Server","MyServer/1.x");
=09=09=09//resp.set("Connection","close"); // Tried this too if it was a HT=
TP/1.1 prob
=09=09=09process(req, resp);
=09=09=09//resp.getOutputStream().flush(); // Tried all combinations of
flush close and commit
=09=09=09resp.getOutputStream().close();
=09=09=09resp.commit();
=09=09} catch(InternetAddressFilter.AccessDeniedException ade) {
=09=09=09Log.log("EXCEPTION: "+ade.toString());
=09=09=09ade.printStackTrace();
=09=09=09ade.printStackTrace(Log.out);
=09=09=09handle(req,resp,404);
=09=09} catch (Exception e) {
=09=09=09Log.log("EXCEPTION: "+e.toString());
=09=09=09e.printStackTrace();
=09=09=09e.printStackTrace(Log.out);
=09=09=09handle(req, resp, 500);
=09=09}
=09}
}
>
> However, I can imagine that if you are using a self
> signed certificate and are prompted to accept from
> your browser this can take about 5 to 10 seconds, and
> in the meantime there could be a premature close of
> the socket before the SSL handshake protocol has
> finished.
No this is not the case as ive added the cert to my root certs. And it
mostly happens when loading the images in the document i'm first
loading; i.e. when the requests come close to each other or perhaps in
the same HTTP/1.1 connection (but i've tried Connection: close too).
>
> If there is a premature closure (which is probably not
> the case as you see "broken pipe" messages) I would
> recommend that you increase the timeout that Simple is
> using. To do this make sure the
> simple.http.poller=3Dsimple.http.GranularPoller. You can
> set this with a -D parameter like so:
>
> java -Dsimple.http.poller=3Dsimple.http.GranularPoller
>
> I hope this solves your problem, or at least helps?
Nope.
>
> Niall
>
> --- Martin Norrsken <mar...@gm...> wrote:
>
> > While using simpleweb with SSL on a Java5 platform i
> > consistently get
> > the following client error from time to time:
> >
> > javax.net.ssl.SSLException: Received fatal alert:
> > unexpected_message
> >
> > and i get a broken pipe exception at the server
> > side.
> >
> > Do you have any special recommendations on how to
> > use SimpleWeb in an
> > SSL environment? Should i use some kind of OpenSSL
> > wrapper instread of
> > JSSE?
> >
> > /Martin
> >
> >
> >
> -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Power Architecture Resource Center: Free content,
> > downloads, discussions,
> > and more.
> > http://solutions.newsforge.com/ibmarch.tmpl
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> >
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
>
>
> Niall Gallagher
>
>
>
> __________________________________
> Start your day with Yahoo! - Make it your home page!
> http://www.yahoo.com/r/hs
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
|
From: Niall G. <gal...@ya...> - 2005-10-20 09:27:28
|
Hi Martin,
If you are sure that the client is closing the
connection, which causes the broken pipe at the server
side then its an SSL/TLS problem. The SSL handshake is
getting mangled or something is corrupt within the SSL
stream.
HTTP cannot be the problem. HTTPS means HTTP tunneled
through SSL/TLS. The secure socket layer knows nothing
about HTTP so it really does not matter what
configuration you are using in your HTTP messages.
If you do think it is something with Simple, which I
think is quite unlikely, then I suggest you use
something like the following to debug the response.
Here 443 is the traditional HTTPS port, if you are
listening on some other port then change accordingly.
openssl s_client -connect my.hostname:443 -state
-debug
Niall
--- Martin Norrsken <mar...@gm...> wrote:
> On 10/19/05, Niall Gallagher
> <gal...@ya...> wrote:
> > Hi Martin,
> >
> > I have used SSL quite frequently in Java 4, and
> never
> > encountered this problem. Although I can say that
> the
> > broken pipe you see on the server side indicates
> that
> > it is the client that is closing the socket.
>
> The client is probably closing the connection
> because it gets an SSL
> "unexpected_message" from the server. Also I only
> get this error
> intermittently, but NOT when i'm using
> javax.net.debug=all (probably
> as this slows down the process considerably).
>
> >
> > If the client is closing the connection then there
> is
> > misconfiguration of the SSL socket. SSL is
> intependant
> > from HTTP, so I can't really say whats happening.
>
> This is what I'm at too. Here's parts of my socket
> and simpleweb
> initialization code:
> --------------------
> public static void init() {
> try {
> Configuration conf = Configuration.getInstance();
>
>
System.setProperty("javax.net.ssl.trustStore",conf.getKeystore());
>
>
System.setProperty("javax.net.ssl.trustStorePassword",conf.getKeystorePassword());
>
> engine = new LoaderEngine();
>
>
engine.load("logout","norrsken.jcas.web.LogoutService");
>
>
engine.load("login","norrsken.jcas.web.LoginService");
>
>
engine.load("success","norrsken.jcas.web.SuccessService");
>
>
engine.load("validate","norrsken.jcas.web.ValidateService");
>
>
engine.load("admin","norrsken.jcas.web.AdminService");
>
> engine.link("/admin","admin");
> engine.link("/login","login");
> engine.link("/loginForm","login");
> engine.link("/logout","logout");
> engine.link("/success","success");
> engine.link("/validate","validate");
>
> WebPageService.register(engine);
>
> try {
> System.setErr(new PrintStream(new
> DoubleOutputStream(System.err,new
> FileOutputStream(conf.getTraceFile()))));
> } catch(Exception e) {
> e.printStackTrace();
> System.exit(1);
> }
>
> ProtocolHandler handler =
> ProtocolHandlerFactory.getInstance(engine);
> Connection connection =
> ConnectionFactory.getConnection(handler);
>
> s =
>
createSocket(conf.getKeystore(),conf.getKeystorePassword(),conf.getPort());
>
> connection.connect(s);
>
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
>
> public static SSLServerSocket createSocket(String
> ksName, String
> ksPass, int port) throws Exception {
> char tksPass[] = ksPass.toCharArray();
> char tctPass[] = ksPass.toCharArray();
>
> KeyStore ks = KeyStore.getInstance("JKS");
> ks.load(new FileInputStream(ksName), tksPass);
>
> KeyManagerFactory kmf =
> KeyManagerFactory.getInstance("SunX509");
> kmf.init(ks, tctPass);
>
> SSLContext sc = SSLContext.getInstance("TLS");
> sc.init(kmf.getKeyManagers(), null, null);
> SSLServerSocketFactory ssf =
> sc.getServerSocketFactory();
>
> SSLServerSocket ssls = (SSLServerSocket)
> ssf.createServerSocket(port);
> //ssls.setEnabledProtocols(new
> String[]{"SSLv3","TLSv1"});
> return ssls;
> }
>
>
> ------------------
> Also, i use this code to wrap my handlers:
> ------------------
>
> public abstract class ExtendedService extends
> BasicService {
> public ExtendedService(Context ctx) {
> super(ctx);
> }
>
> public void handle(final Request req, final
> Response resp) {
> try {
> if(!resp.isCommitted()) resp.reset(); // Tried
> adding this
> resp.setDate("Date",System.currentTimeMillis());
> resp.set("Server","MyServer/1.x");
> //resp.set("Connection","close"); // Tried this
> too if it was a HTTP/1.1 prob
> process(req, resp);
> //resp.getOutputStream().flush(); // Tried all
> combinations of
> flush close and commit
> resp.getOutputStream().close();
> resp.commit();
> }
> catch(InternetAddressFilter.AccessDeniedException
> ade) {
> Log.log("EXCEPTION: "+ade.toString());
> ade.printStackTrace();
> ade.printStackTrace(Log.out);
> handle(req,resp,404);
> } catch (Exception e) {
> Log.log("EXCEPTION: "+e.toString());
> e.printStackTrace();
> e.printStackTrace(Log.out);
> handle(req, resp, 500);
> }
> }
> }
>
> >
> > However, I can imagine that if you are using a
> self
> > signed certificate and are prompted to accept from
> > your browser this can take about 5 to 10 seconds,
> and
> > in the meantime there could be a premature close
> of
> > the socket before the SSL handshake protocol has
> > finished.
>
> No this is not the case as ive added the cert to my
> root certs. And it
> mostly happens when loading the images in the
> document i'm first
> loading; i.e. when the requests come close to each
> other or perhaps in
> the same HTTP/1.1 connection (but i've tried
> Connection: close too).
>
> >
> > If there is a premature closure (which is probably
> not
> > the case as you see "broken pipe" messages) I
> would
> > recommend that you increase the timeout that
> Simple is
> > using. To do this make sure the
> > simple.http.poller=simple.http.GranularPoller. You
> can
> > set this with a -D parameter like so:
> >
> > java
> -Dsimple.http.poller=simple.http.GranularPoller
> >
> > I hope this solves your problem, or at least
> helps?
>
> Nope.
>
> >
> > Niall
> >
> > --- Martin Norrsken <mar...@gm...>
> wrote:
> >
> > > While using simpleweb with SSL on a Java5
> platform i
> > > consistently get
>
=== message truncated ===
Niall Gallagher
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
|
|
From: Martin N. <mar...@gm...> - 2005-10-20 14:11:55
|
Apparently it's Java 5 SSL implementation that is at fault (??). I
switched to using stunnel and running simpleweb on a normal
serversocket. It is very annoying though, so I probably need to find a
java wrapper for OpenSSL server sockets but I cant seem to find that
(as all were discontinued when Java released JSSE).
Have you tried to run simpleweb on Java 5 SSL socket? Or just Java 1.4
? I might change to Java 1.4 but then i have to rewrite much of the
source code.
Thanks for the help.
/Martin
On 10/20/05, Niall Gallagher <gal...@ya...> wrote:
> Hi Martin,
>
> If you are sure that the client is closing the
> connection, which causes the broken pipe at the server
> side then its an SSL/TLS problem. The SSL handshake is
> getting mangled or something is corrupt within the SSL
> stream.
>
> HTTP cannot be the problem. HTTPS means HTTP tunneled
> through SSL/TLS. The secure socket layer knows nothing
> about HTTP so it really does not matter what
> configuration you are using in your HTTP messages.
>
> If you do think it is something with Simple, which I
> think is quite unlikely, then I suggest you use
> something like the following to debug the response.
> Here 443 is the traditional HTTPS port, if you are
> listening on some other port then change accordingly.
>
> openssl s_client -connect my.hostname:443 -state
> -debug
>
> Niall
>
> --- Martin Norrsken <mar...@gm...> wrote:
>
> > On 10/19/05, Niall Gallagher
> > <gal...@ya...> wrote:
> > > Hi Martin,
> > >
> > > I have used SSL quite frequently in Java 4, and
> > never
> > > encountered this problem. Although I can say that
> > the
> > > broken pipe you see on the server side indicates
> > that
> > > it is the client that is closing the socket.
> >
> > The client is probably closing the connection
> > because it gets an SSL
> > "unexpected_message" from the server. Also I only
> > get this error
> > intermittently, but NOT when i'm using
> > javax.net.debug=3Dall (probably
> > as this slows down the process considerably).
> >
> > >
> > > If the client is closing the connection then there
> > is
> > > misconfiguration of the SSL socket. SSL is
> > intependant
> > > from HTTP, so I can't really say whats happening.
> >
> > This is what I'm at too. Here's parts of my socket
> > and simpleweb
> > initialization code:
> > --------------------
> > public static void init() {
> > try {
> > Configuration conf =3D Configuration.getInstance(=
);
> >
> >
> System.setProperty("javax.net.ssl.trustStore",conf.getKeystore());
> >
> >
> System.setProperty("javax.net.ssl.trustStorePassword",conf.getKeystorePas=
sword());
> >
> > engine =3D new LoaderEngine();
> >
> >
> engine.load("logout","norrsken.jcas.web.LogoutService");
> >
> >
> engine.load("login","norrsken.jcas.web.LoginService");
> >
> >
> engine.load("success","norrsken.jcas.web.SuccessService");
> >
> >
> engine.load("validate","norrsken.jcas.web.ValidateService");
> >
> >
> engine.load("admin","norrsken.jcas.web.AdminService");
> >
> > engine.link("/admin","admin");
> > engine.link("/login","login");
> > engine.link("/loginForm","login");
> > engine.link("/logout","logout");
> > engine.link("/success","success");
> > engine.link("/validate","validate");
> >
> > WebPageService.register(engine);
> >
> > try {
> > System.setErr(new PrintStream(new
> > DoubleOutputStream(System.err,new
> > FileOutputStream(conf.getTraceFile()))));
> > } catch(Exception e) {
> > e.printStackTrace();
> > System.exit(1);
> > }
> >
> > ProtocolHandler handler =3D
> > ProtocolHandlerFactory.getInstance(engine);
> > Connection connection =3D
> > ConnectionFactory.getConnection(handler);
> >
> > s =3D
> >
> createSocket(conf.getKeystore(),conf.getKeystorePassword(),conf.getPort()=
);
> >
> > connection.connect(s);
> >
> > } catch (Exception e) {
> > e.printStackTrace();
> > }
> >
> > }
> >
> > public static SSLServerSocket createSocket(String
> > ksName, String
> > ksPass, int port) throws Exception {
> > char tksPass[] =3D ksPass.toCharArray();
> > char tctPass[] =3D ksPass.toCharArray();
> >
> > KeyStore ks =3D KeyStore.getInstance("JKS");
> > ks.load(new FileInputStream(ksName), tksPass);
> >
> > KeyManagerFactory kmf =3D
> > KeyManagerFactory.getInstance("SunX509");
> > kmf.init(ks, tctPass);
> >
> > SSLContext sc =3D SSLContext.getInstance("TLS");
> > sc.init(kmf.getKeyManagers(), null, null);
> > SSLServerSocketFactory ssf =3D
> > sc.getServerSocketFactory();
> >
> > SSLServerSocket ssls =3D (SSLServerSocket)
> > ssf.createServerSocket(port);
> > //ssls.setEnabledProtocols(new
> > String[]{"SSLv3","TLSv1"});
> > return ssls;
> > }
> >
> >
> > ------------------
> > Also, i use this code to wrap my handlers:
> > ------------------
> >
> > public abstract class ExtendedService extends
> > BasicService {
> > public ExtendedService(Context ctx) {
> > super(ctx);
> > }
> >
> > public void handle(final Request req, final
> > Response resp) {
> > try {
> > if(!resp.isCommitted()) resp.reset(); // Tried
> > adding this
> > resp.setDate("Date",System.currentTimeMillis());
> > resp.set("Server","MyServer/1.x");
> > //resp.set("Connection","close"); // Tried this
> > too if it was a HTTP/1.1 prob
> > process(req, resp);
> > //resp.getOutputStream().flush(); // Tried all
> > combinations of
> > flush close and commit
> > resp.getOutputStream().close();
> > resp.commit();
> > }
> > catch(InternetAddressFilter.AccessDeniedException
> > ade) {
> > Log.log("EXCEPTION: "+ade.toString());
> > ade.printStackTrace();
> > ade.printStackTrace(Log.out);
> > handle(req,resp,404);
> > } catch (Exception e) {
> > Log.log("EXCEPTION: "+e.toString());
> > e.printStackTrace();
> > e.printStackTrace(Log.out);
> > handle(req, resp, 500);
> > }
> > }
> > }
> >
> > >
> > > However, I can imagine that if you are using a
> > self
> > > signed certificate and are prompted to accept from
> > > your browser this can take about 5 to 10 seconds,
> > and
> > > in the meantime there could be a premature close
> > of
> > > the socket before the SSL handshake protocol has
> > > finished.
> >
> > No this is not the case as ive added the cert to my
> > root certs. And it
> > mostly happens when loading the images in the
> > document i'm first
> > loading; i.e. when the requests come close to each
> > other or perhaps in
> > the same HTTP/1.1 connection (but i've tried
> > Connection: close too).
> >
> > >
> > > If there is a premature closure (which is probably
> > not
> > > the case as you see "broken pipe" messages) I
> > would
> > > recommend that you increase the timeout that
> > Simple is
> > > using. To do this make sure the
> > > simple.http.poller=3Dsimple.http.GranularPoller. You
> > can
> > > set this with a -D parameter like so:
> > >
> > > java
> > -Dsimple.http.poller=3Dsimple.http.GranularPoller
> > >
> > > I hope this solves your problem, or at least
> > helps?
> >
> > Nope.
> >
> > >
> > > Niall
> > >
> > > --- Martin Norrsken <mar...@gm...>
> > wrote:
> > >
> > > > While using simpleweb with SSL on a Java5
> > platform i
> > > > consistently get
> >
> =3D=3D=3D message truncated =3D=3D=3D
>
>
> Niall Gallagher
>
>
>
> __________________________________
> Start your day with Yahoo! - Make it your home page!
> http://www.yahoo.com/r/hs
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
|
From: Martin N. <mar...@gm...> - 2005-10-20 17:20:32
|
I now run with stunnel www.stunnel.org, my java app autogenerates the conf-file at startup and also exports the private key and public cert from the java keystore for stunnels usage. Apart from the fact that it's now *working* it's also about 20 times faster= !!! If anyone is interested in the strange coding I used to start stunnel with my java app, feel free to email me. /Martin |
|
From: Niall G. <gal...@ya...> - 2005-10-20 19:58:21
|
Hi Martin, I have never used stunnel, however I would like to have a peek at what you have done. If thats ok... Niall --- Martin Norrsken <mar...@gm...> wrote: > I now run with stunnel www.stunnel.org, my java app > autogenerates the > conf-file at startup and also exports the private > key and public cert > from the java keystore for stunnels usage. > > Apart from the fact that it's now *working* it's > also about 20 times faster!!! > > If anyone is interested in the strange coding I used > to start stunnel > with my java app, feel free to email me. > > /Martin > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, > downloads, discussions, > and more. > http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > Niall Gallagher __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs |
|
From: Martin N. <mar...@gm...> - 2005-10-21 10:40:10
|
This is the code.. very ugly and uncommented and horrible, but it hides the ugliness pretty good. You need to put the files from www.stunnel.org (including the ssl dlls) in the same folder as your app. import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.OutputStreamWriter; import java.io.Writer; import java.net.InetAddress; import java.net.ServerSocket; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.util.HashMap; import java.util.Iterator; import javax.net.ServerSocketFactory; import javax.net.ssl.KeyManagerFactory; import sun.misc.BASE64Encoder; import sun.reflect.generics.reflectiveObjects.NotImplementedException; public class StunnelServerSocketFactory extends ServerSocketFactory impleme= nts =09=09KeystoreInfo { =09 =09 =09protected String keystore; =09protected String keystorePassword; =09private static HashMap tunnels =3D new HashMap(); =09 =09static { =09=09// Code to shut down STUNNELS when exiting by Ctrl-C or System.exit(.= ..) =09=09Runtime.getRuntime().addShutdownHook(new Thread(new Runnable() { =09=09=09public void run() { =09=09=09=09for(Iterator iter =3D tunnels.values().iterator();iter.hasNext(= );) { =09=09=09=09=09Process pr =3D (Process)iter.next(); =09=09=09=09=09pr.destroy(); =09=09=09=09} =09=09=09} =09=09})); =09=09 =09} =09 =09protected ServerSocket setup(int port, int backlog) throws IOException { =09=09Process pr =3D (Process)tunnels.get(new Integer(port)); =09=09if(pr !=3D null) { =09=09=09pr.destroy(); =09=09} =09=09 =09=09String host =3D InetAddress.getLocalHost().getCanonicalHostName(); =09=09ServerSocket ss =3D ServerSocketFactory.getDefault().createServerSocket(0,backlog,InetAddress.g= etByName("127.0.0.1")); =09=09try { =09=09=09createStunnelKeysAndConfig(keystore,keystorePassword,host,port,ss.= getLocalPort()); =09=09} catch (IOException e) { =09=09=09throw e; =09=09} catch (Exception e) { =09=09=09IOException ioe =3D new IOException(e.getMessage()); =09=09=09ioe.setStackTrace(e.getStackTrace()); =09=09=09throw ioe; =09=09} =09=09ProcessBuilder pbt =3D new ProcessBuilder("stunnel.exe"); =09=09pr =3D pbt.start(); =09=09tunnels.put(new Integer(port),pr); =09=09 =09=09return ss; =09} =09@Override =09public ServerSocket createServerSocket() throws IOException { =09=09throw new NotImplementedException(); =09} =09@Override =09public ServerSocket createServerSocket(int port, int backlog, InetAddress addr) throws IOException { =09=09throw new NotImplementedException(); =09} =09@Override =09public ServerSocket createServerSocket(int port, int backlog) throws IOException { =09=09return setup(port,backlog); =09} =09@Override =09public ServerSocket createServerSocket(int port) throws IOException { =09=09return setup(port,0); =09} =09public void setKeystoreInfo(String keystore, String keystorePassword) { =09=09this.keystore =3D keystore; =09=09this.keystorePassword =3D keystorePassword; =09} =09public StunnelServerSocketFactory() { =09=09super(); =09=09// TODO Auto-generated constructor stub =09} =09public static void createStunnelKeysAndConfig(String ksName, String ksPass, String host, int port, int localport) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException { =09=09char tksPass[] =3D ksPass.toCharArray(); =09=09char tctPass[] =3D ksPass.toCharArray(); =09=09KeyStore ks =3D KeyStore.getInstance("JKS"); =09=09ks.load(new FileInputStream(ksName), tksPass); =09=09KeyManagerFactory kmf =3D KeyManagerFactory.getInstance("SunX509"); =09=09kmf.init(ks, tctPass); =09=09 =09=09BASE64Encoder myB64 =3D new BASE64Encoder(); =09=09 =09=09File certificateFile =3D new File(ksName); =09=09ks.load(new FileInputStream(certificateFile), tksPass); =09 =09=09Certificate cert =3D ks.getCertificate(host); =09=09 =09=09PrivateKey privKey =3D (PrivateKey)ks.getKey(host,tctPass); =09=09 =09=09File fPriv =3D new File("tunpriv.pem"); =09=09File fPub =3D new File("tuncert.pem"); =09=09File fStunnel =3D new File("stunnel.conf"); =09 =09=09Writer w =3D new OutputStreamWriter(new FileOutputStream(fPriv),"asci= i"); =09=09 =09=09 =09=09String b64 =3D myB64.encode(privKey.getEncoded()); =09 =09=09w.write("-----BEGIN PRIVATE KEY-----\n"); =09=09w.write(b64); =09=09w.write("\n"); =09=09w.write("-----END PRIVATE KEY-----\n"); =09=09w.close(); =09=09 =09=09w =3D new OutputStreamWriter(new FileOutputStream(fPub),"ascii"); =09=09b64 =3D myB64.encode(cert.getEncoded()); =09=09w.write("-----BEGIN CERTIFICATE-----\n"); =09=09w.write(b64); =09=09w.write("\n"); =09=09w.write("-----END CERTIFICATE-----\n"); =09=09 =09=09w.close(); =09=09w =3D new OutputStreamWriter(new FileOutputStream(fStunnel),"ascii"); =09=09w.write("cert =3D tuncert.pem\n"); =09=09w.write("key =3D tunpriv.pem\n"); =09=09w.write("socket =3D l:TCP_NODELAY=3D1\n"); =09=09w.write("socket =3D r:TCP_NODELAY=3D1\n"); =09=09w.write("[https]\n"); =09=09w.write("accept =3D "+port+"\n"); =09=09w.write("connect =3D 127.0.0.1:"+localport+"\n"); =09=09w.write("TIMEOUTclose =3D 0\n"); =09=09w.close(); =09=09 =09} =09 } On 10/20/05, Niall Gallagher <gal...@ya...> wrote: > Hi Martin, > > I have never used stunnel, however I would like to > have a peek at what you have done. If thats ok... > > Niall > > --- Martin Norrsken <mar...@gm...> wrote: > > > I now run with stunnel www.stunnel.org, my java app > > autogenerates the > > conf-file at startup and also exports the private > > key and public cert > > from the java keystore for stunnels usage. > > > > Apart from the fact that it's now *working* it's > > also about 20 times faster!!! > > > > If anyone is interested in the strange coding I used > > to start stunnel > > with my java app, feel free to email me. > > > > /Martin > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: > > Power Architecture Resource Center: Free content, > > downloads, discussions, > > and more. > > http://solutions.newsforge.com/ibmarch.tmpl > > _______________________________________________ > > Simpleweb-Support mailing list > > Sim...@li... > > > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > > > > Niall Gallagher > > > > __________________________________ > Start your day with Yahoo! - Make it your home page! > http://www.yahoo.com/r/hs > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X