Poor performance in establishing an SSL connection
Hi,
i have a Servlet (loaded on Tomcat 4.1) that establishes a SSL Connection to a remote server. The issue is, is that the connection phase takes over 4 seconds to complete!
heres the function where the problem shows
public SSLSocket getSocket()
throws NoSuchAlgorithmException, KeyStoreException, FileNotFoundException,
IOException, KeyManagementException, CertificateException,
UnrecoverableKeyException
* Set up a key manager for client authentication if asked by the server.
SSLSocketFactory factory = null;
SSLContext ctx;
KeyManagerFactory kmf;
KeyStore ks;
// Set the SSL Context to TLS (required for Client certs).
ctx = SSLContext.getInstance("TLS");
kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance(ksType);
// Load in the KeyStore.
ks.load(new FileInputStream(ksLoc), ksPassphrase);
kmf.init(ks, ksPassphrase);
// Generate some random data.
SecureRandom sr = new SecureRandom();
sr.nextInt();
// Initialise the SSL with the random data.
ctx.init(kmf.getKeyManagers(), null, sr);
factory = ctx.getSocketFactory();
* Open the Socket to the SSL server. from this point we can treat
* it like and nomal Socket
SSLSocket socket = (SSLSocket)factory.createSocket(servHost, servPort);
// Force the handshake
socket.startHandshake();
// Return the now open SSLSocket to the caller.
return socket;
the problematic line is:
SSLSocket socket = (SSLSocket)factory.createSocket(servHost, servPort);
it takes about 4.5 - 5.0 seconds to return. The remote server is based on the same LAN as this Servlet and so network lag should not be an issue (im accessing via 10.xx ip too)
Can anyone help me in determining why this takes so long?
Thanks !
Darren.
First, try by removing the line which says:
socket.startHandshake();because the handshake will be initiated by the socket upon creation.
If you are using JDK v1.4.1 I've seen some SSL performance issues when stablishing the connection, so I returned to my old JDK 1.3.1.
Also be sure to create the factory in the servlet init() method because it has no sense to recreate the factory in every request as long as it uses the same KeyManager.
HTH
Similar Messages
-
Unable to establish any ssl connection
Since my last update im not able to load any ssl webpage from my system.
If i try with curl or wget, i get various SSL errors like
"OpenSSL: error:0407006A:rsa routines: RSA_padding_check_PKCS1_type_1:block type is not 01"
"OpenSSL: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed"
"OpenSSL: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature"
"Read error at byte xxx (error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac)."
Im using a d-link DWA-131 (r8712u module). The problem does not appear when using the wired interface. Windows 7 has no problem with the wireless dongle too.
Could anyone point me in the right direction for finding a solution to this?This seems to be an issue with the r8712u driver (https://bugzilla.kernel.org/show_bug.cgi?id=45071) which was not happening before. Ill keep the thread updated.
Last edited by honzor (2012-09-10 16:22:52) -
Establish SSL connection to Oracle Instance w/JDBC Thin Client
Hello all,
I am writing a monitoring utility that will allow me to establish connections to both Oracle instances and LDAP repositories and query them to determine that they are up and running. My utility consists of a number of objects that handle connections to the LDAP and Oracle instances. I need to be able to do SSL and non-SSL connections to said instances.
My issue is this: I am able to do SSL and non-SSL to LDAP, and non-SSL to an Oracle instance. I am having problems, though, establishing an SSL connection to an Oracle instance (I am using the thin client). Whenever I try, a SQLException is thrown that states: "Encountered a problem with the secret store. Check the wallet location for the presense of an <b>open</b> wallet (cwallet.sso) and ensure that the wallet contains the correct credentials..."
Ok, a little background for those who may need it. Oracle uses a wallet to hold certs that allow SSL connections. I have a wallet on my box, and, from the command line, I am able to sqlplus into and tnsping the appropriate Oracle instances, so I know it is setup properly. The inability to connect only occurs in my code. My code looks like this:
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
Security.addProvider(new oracle.security.pki.OraclePKIProvider());
/*Setup connection properties*/
String connectionString = "testbox01:1000:ssl_instances_name";
String userName = "userName";
String pwd = "password";
Properties props = new Properties();
props.put("oracle.net.ssl_version", 3.0");
props.put("oracle.net.wallet_location", "SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=c:\\wallet)))");
props.put("oracle.net.ssl_cipher_suites", "ssl cipher suites");
props.put("oracle.net.ssl_server_dn_match", "FALSE");
props.put("oracle.net.ssl_client_authentication", "true");
/*Do connection and return connection object
OracleDataSource ods = new OracleDataSource();
ods.setUser(userName);
ods.setPassword(pwd);
ods.setUrl("jdbc:oracle:thin:@" + connectionString);
ods.setConnectionProperties(props);
Connection conn = ods.getConnection(); <---This is where code errors out with SQLException described above.
return conn;
And that's pretty much it. Anyone have any ideas?Ok, that looked horrible. Let's try this again:<br>
<br>
I am writing a monitoring utility that will allow me to establish connections to both Oracle instances and LDAP repositories and query them to determine that they are up and running. My utility consists of a number of objects that handle connections to the LDAP and Oracle instances. I need to be able to do SSL and non-SSL connections to said instances.<br>
<br>
My issue is this: I am able to do SSL and non-SSL to LDAP, and non-SSL to an Oracle instance. I am having problems, though, establishing an SSL connection to an Oracle instance. Whenever I try, a SQLException is thrown that states: "Encountered a problem with the secret store. Check the wallet location for the presense of an <b>open</b> wallet (cwallet.sso) and ensure that the wallet contains the correct credentials..."<br>
<br>
Ok, a little background for those who may need it. Oracle uses a wallet to hold certs that allow SSL connections. I have a wallet on my box, and, from the command line, I am able to sqlplus into and tnsping the appropriate Oracle instances, so I know it is setup properly. The inability to connect only occurs in my code. My code looks like this:<br>
<br>
*****<br>
<br>
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());<br>
Security.addProvider(new oracle.security.pki.OraclePKIProvider());<br>
<br>
/*Setup connection properties*/<br>
<br>
String connectionString = "testbox01:1000:ssl_instances_name";<br>
String userName = "userName";<br>
String pwd = "password";<br>
<br>
Properties props = new Properties();<br>
props.put("oracle.net.ssl_version", 3.0");<br>
props.put("oracle.net.wallet_location", "SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=c:\\wallet)))");<br>
props.put("oracle.net.ssl_cipher_suites", "ssl cipher suites");<br>
props.put("oracle.net.ssl_server_dn_match", "FALSE");<br>
props.put("oracle.net.ssl_client_authentication", "true");<br>
<br>
/*Do connection and return connection object*/<br>
OracleDataSource ods = new OracleDataSource();<br>
ods.setUser(userName);<br>
ods.setPassword(pwd);<br>
ods.setUrl("jdbc:oracle:thin:@" + connectionString);<br>
ods.setConnectionProperties(props);<br>
<br>
Connection conn = ods.getConnection(); <---This is where code errors out with SQLException described above.<br>
<br>
return conn;<br>
<br>
*****<br>
<br>
And that's pretty much it. Anyone have any ideas?<br> -
SSL connection, KeyManager and TrustManager
Hello everyone,
I am trying to established an SSL connection to a OC4J Server. The server is correctly configured, as the communications using Internet Explorer goes well.
I am using JDK 1.3.1_06 with JSSE 1.0.3 and OC4J 9.0.3.
But now I have a stand-alone java program that sends SOAP messages to the ssl port in the server using JAXM. When I send the message, I received the following exception:
javax.net.ssl.SSLException: untrusted server cert chain
The following I tried was to connect using a socket to test the handshacking. I received the same exception.
I am using a KeyStore dinamically generated with the PKCS12 certificate of the cliente that is requesting the service, and a TrustStore dinamically generated with the CA certificate for both the client and the server. I am also tries to use the default cacerts file with this certificate imported in.
The KeyManager is initialized in this way:
----- KeyManager start -----
java.security.KeyStore ks = java.security.KeyStore.getInstance
("pkcs12", "SunJSSE");
ks.load(new FileInputStream(file),pass.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance ("SunX509", "SunJSSE");
kmf.init(ks, pass.toCharArray());
KeyManager[] km = (KeyManager[])kmf.getKeyManagers();
----- KeyManager end -----
The TrustManager is initialized in this way:
----- TrustManager start -----
FileInputStream fis = new FileInputStream(file);
java.io.DataInputStream dis = new java.io.DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
java.io.ByteArrayInputStream bais =
new java.io.ByteArrayInputStream(bytes);
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
java.security.cert.X509Certificate caCert =
(java.security.cert.X509Certificate)
cf.generateCertificate(bais);
java.security.KeyStore ksCA =
java.security.KeyStore.getInstance("pkcs12", "SunJSSE");
ksCA.load(null, null);
ksCA.setCertificateEntry("trustedCA", caCert);
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509", "SunJSSE");
tmf.init(ksCA);
TrustManager[] tm = (TrustManager[])tmf.getTrustManagers();
----- TrustManager end -----
And finally, this is the way I create the ssl connection:
----- main start -----
// loads the jsse provider
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(
new com.sun.net.ssl.internal.ssl.Provider());
// keymanager
com.sun.net.ssl.KeyManager[] km = getKeyManager(args[0], args[1]);
// trustmanager
com.sun.net.ssl.TrustManager[] tm = getTrustManager(args[2]);
// ssl context configuration
com.sun.net.ssl.SSLContext ctx =
com.sun.net.ssl.SSLContext.getInstance("SSL");
ctx.init(km, tm, null);
com.sun.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
ctx.getSocketFactory());
// url
URL url = new URL(
"https", my_ip
my_port, a_page,
new com.sun.net.ssl.internal.www.protocol.https.Handler());
// connection
com.sun.net.ssl.HttpsURLConnection conn =
(com.sun.net.ssl.HttpsURLConnection)url.openConnection();
conn.connect();
----- main end -----
This is the full exception trace:
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:56)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect(DashoA6275)
at pruebas.SSLClient.main(SSLClient.java)
Has anyone some idea of what is happening. Thanks in advance,
Jorge Hidalgohi
how your client i.e stanadlone application (SOAP client) is getting the server certificates if client doesn't get the server certificate and vice versa then u will get this exception.
check on both side.
pras -
Cannot establish SSL connection after fresh install
Hello,
I performed a fresh install a couple of days ago. Everything is fine, no hardware errors, pacman and curl work like a charm, HTTP servers respond as they should, but SSL servers do not respond the right way.
I tried with elinks, chromium and firefox and they get stuck on SSL negotiations for very long times.
Installed the whole thing again. Same issue.
Just tested with:
openssl s_client -connect facebook.com:443
openssl s_client -connect google.com:443
Seems to work fine, I can GET with no problems.
Also tested with:
wget --debug -O - https://facebook.com
It gets stuck to "Initializing SSL handshake" and after a couple of minutes the connection is closed with error message "Unable to establish SSL connection."
The system date/time are correct, the system is up to date, used the latest install image available at http://archlinux.org, installed following the install guide from the wiki.
All tests performed as root.
Last edited by icecoder (2013-05-30 10:07:14)WonderWoofy wrote:Initscripts maybe... ethernet... since I am not familiar with either of your systems, I cannot answer this.
As I understand, the latest arch uses systemd by default, so there's no need installing initscripts and in https://wiki.archlinux.org/index.php/In … e_internet nothing said I have to configure network as I'm using DHCP.
Last edited by tenzan (2012-10-22 00:02:42) -
I have XP x64 SP2 and have tried to download Adobe Reader. I get an error; "Can't establish SSL connection (16248.331.1095.307)" and
then after a couple of these, it closes the download manager.
We are using IE6.0.3790.359 128 cipher
As to the alternate browsers, our corporation will not allow them to be loaded. So we cannot use other browser.
The installation steps are: click get reader, allow activeX, unclick Google bar and click download- simple stuff.
Please refer to the screen shot
Thanks
JPSinghAssuming that you want the English version of Adobe Reader 9.2, you can download it without download manager from http://ardownload.adobe.com/pub/adobe/reader/win/9.x/9.2/enu/AdbeRdr920_en_US.exe
If you're looking for a different version, find it at ftp://ftp.adobe.com/pub/adobe/reader/ -
Unable to establish SSL connection using Java PKCS11
I am currently trying to establish SSL connectivity using eToken via PKCS11.
The PKCS11 provider is setup and I can read the 3 stored certificates as a key Store Object.
But I am getting the following exception while trying to establish SSL connectivity.
I am using JDK 6.0(java version "1.6.0_31-rev).
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-aladdin-0 RSA private key, 2048 bits (id 147980297, token object, sensitive, unextractable)
at sun.security.mscapi.RSACipher.engineGetKeySize(RSA Cipher.java:384)
at javax.crypto.Cipher.b(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
Code:
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
KeyStore keyStore = getClientKeyStore(); //read Smart Card Token to get the Certificate
kmf.init(keyStore, "mycardPin".toCharArray()); //#### hard coded the i/p parms
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("C:\\Users\\usr1\\Desktop\\Certifi cates\\mycertca.jks"), "mycardPin".toCharArray());
tmf.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
factory = sslContext.getSocketFactory();
sslClient = (SSLSocket) factory.createSocket(host, port);
sslClient.startHandshake(); //<--- code is breaking here with the above exception
I am struggling like anything for the last 4 days to get rid of this issue. Please let me know is there any work-around to fix this issue.
I really appreciate your help.Hi,
have You found the solution. I have similar problem but now it is not repeatable. I'm not sure what was the reason (this InvalidKeyException apeared only once). I'm using JDK7 (java version 1.7.0_09-b05).
Caused by: java.security.InvalidKeyException: Unsupported key type: SunPKCS11-GemSafe RSA private key, 1024 bits (id 2, token object, sensitive, unextractable)
at sun.security.mscapi.RSACipher.engineGetKeySize(RSACipher.java:404)
at javax.crypto.Cipher.passCryptoPermCheck(Cipher.java:1052)
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1010)
at javax.crypto.Cipher.init(Cipher.java:1209)
at java.security.Signature$CipherAdapter.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.init(Unknown Source)
at java.security.Signature$Delegate.chooseProvider(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Unknown Source)
at java.security.Signature.initSign(Unknown Source)
at sun.security.ssl.RSASignature.engineInitSign(Unknown Source)
at java.security.Signature$Delegate.engineInitSign(Unknown Source)
at java.security.Signature.initSign(Unknown Source)
at sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(Unknown Source)
... 53 more -
ACE20 SSL-connection rate performance
Hello,
One of our customers are challenging our ACE20 modules ssl-connection rate performance. During a loadtest performed against our webportals, they concluded, that the ACE-module showed signs of severe performance degredations, when the number of new ssl-connections hit 40.
While I disagree with that conclusion, I find it somewhat difficult to disprove it. Nothing on the ACE-module suggest any ssl-resource depletion, the highest recorded ssl-connection rate is 677 tps and the license permits 10k. The context is currently sized to 4k. I've gone through numerous troubleshooting steps, trying to locate anything that would suggest a problem with the module, but so far nothing has turned up.
I've been given somewhat conflicting information about what the ssl-connection rate resouce actually represent. Some say is represent the total number of new ssl-connections pr/sec, other say it represents ssl-transaction capacity as a whole, which among other things would include ssl-handshakes. Regardsless, 40 in my opinion seems way to low and this is very inconsistent with the generel load on our modules, which often climbs into the hundreds.
So I'm looking for suggestions on how to conduct a simple ssl/tps test against the ACE-modules. The test is expected to be very basic, as I'm not looking to test the webportal end-to-end, but simply doing an ssl-tps performace test.
Any help will do
Thanks
/UlrichHi,
The connection will be denied once the SSL connection rate is exceeded.
That can be identified by using the command :
show resource usage all
You will see something like this :
Resource Current Peak Min Max Denied
ssl-connections rate 995 1000 0 1000 28975
You will notice that the deny counter will start increasing once the rate is exceeded.
hope that helps.
regards,
Ajay Kumar -
Shared nothing live migration over SMB. Poor performance
Hi,
I´m experiencing really poor performance when migrating VMs between newly installed server 2012 R2 Hyper-V hosts.
Hardware:
Dell M620 blades
256Gb RAM
2*8C Intel E5-2680 CPUs
Samsung 840 Pro 512Gb SSD running in Raid1
6* Intel X520 10G NICs connected to Force10 MXL enclosure switches
The NICs are using the latest drivers from Intel (18.7) and firmware version 14.5.9
The OS installation is pretty clean. Its Windows Server 2012 R2 + Dell OMSA + Dell HIT 4.6
I have removed the NIC teams and vmSwitch/vNICs to simplify the problem solving process. Now there is one nic configured with one IP. RSS is enabled, no VMQ.
The graphs are from 4 tests.
Test 1 and 2 are nttcp-tests to establish that the network is working as expected.
Test 3 is a shared nothing live migration of a live VM over SMB
Test 4 is a storage migration of the same VM when shut down. The VMs is transferred using BITS over http.
It´s obvious that the network and NICs can push a lot of data. Test 2 had a throughput of 1130MB/s (9Gb/s) using 4 threads. The disks can handle a lot more than 74MB/s, proven by test 4.
While the graph above doesn´t show the cpu load, I have verified that no cpu core was even close to running at 100% during test 3 and 4.
Any ideas?
Test
Config
Vmswitch
RSS
VMQ
Live Migration Config
Throughput (MB/s)
NTtcp
NTttcp.exe -r -m 1,*,172.17.20.45 -t 30
No
Yes
No
N/A
500
NTtcp
NTttcp.exe -r -m 4,*,172.17.20.45 -t 30
No
Yes
No
N/A
1130
Shared nothing live migration
Online VM, 8GB disk, 2GB RAM. Migrated from host 1 -> host2
No
Yes
No
Kerberos, Use SMB, any available net
74
Storage migration
Offline VM, 8Gb disk. Migrated from host 1 -> host2
No
Yes
No
Unencrypted BITS transfer
350Hi Per Kjellkvist,
Please try to change the "advanced features"settings of "live migrations" in "Hyper-v settings" , select "Compression" in "performance options" area .
Then test 3 and 4 .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Sporadic SSL connection trouble
I happened to run across https://discussions.apple.com/message/5546820, which describes a problem very similar to one I've had troubles with since Mac OS X 10.5 Server and still happens with 10.6.7; I did not experience this with Tiger.
I have a web service written in PHP (v5.3.4) that makes another web service call to a third party web service. The call TO my web service and the call my web service MAKES are both SSL encrypted; neither are going through a proxy. Occasionally, my web service will get a SoapFault raised with the error "Could not connect to host" when instantiating a SoapClient object to connect to the third party web service. We use this web service an average of nearly 1,000 times a day, and of those, only a handful each day gets this exception. I have gone so far as to add code that will make a second attempt to instantiate the SoapClient class when the first fails. Sometimes the second attempt works, but sometimes even it fails.
At one point I moved this process back to 10.4.11 Server (w/PHP v5.2.4), and experienced no errors. I've also ran the same code on a Windows machine with PHP 5.3 installed and it did not experience the problem either. So I don't believe it has anything to do with upgrading PHP from 5.2 to 5.3. I have performed tests from other Macs connecting to one of Amazon's web services over HTTPS, and they too experienced random failures beginning with Leopard. So I don't think it has anything to do with the specific machine on which the process is running. I also tried consuming the Amazon web service over HTTP, and didn't experience the problem.
We have another process (on a different server running 10.5.8) that uses CURL to establish a SSL encrypted connection to a partner's system, and it's randomly failing on curl_exec() with "SSL read: error:00000000:lib(0):func(0):reason(0), errno 54". According to http://curl.haxx.se/libcurl/c/libcurl-errors.html, error 54 means "Failed setting the selected SSL crypto engine as default!".
CURL details:
10.5.8 machine:
curl 7.16.4 (i386-apple-darwin9.0) libcurl/7.16.4 OpenSSL/0.9.7l zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
10.6.7 machine:
curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
Protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
Neither error can be reproduced at will, but they do happen daily (no particular time of day; it's completely random). It just really sounds like something is wrong with some low level code in the OS dealing with SSL that began with Leopard. Anyone else having similar trouble?i got the connection to work, and the problem was that the regional settings of the client was set to "Turkish". after changing it to EN, it worked.
(questions 2), 3) and 4) are "answered" herewith).
is there a workaround for the language problem ? (the reg. settings have to be Turkish)
(when set to "Turkish", the JRE parses the cacerts file erroneous (because of the Turkish 'i' character). running the program with "-javax.net.debug=all" parameter prints the trace)
now, i've another question :
when creating a user how do we specify which group the user belongs to ?
a solution for this is to find the group and add the user to the group. is there an attribute of the user which can be set directly at creation time ?
last question :
why does it take so long to get a context with ssl connection ? does anybody know how to make it faster ?
thanks -
Errror during SSL connection with LDAP using JNDI APIs
Hello,
I have established a client and server certificates cert.arm for LDAP server and client. On client i have created a client.kdb file and on server server.kdb file both containing cert.arm. whwn i give a request
C:\Program Files\IBM\LDAP\bin>ldapsearch -b "o=ibm,c=us" -h 9.182.174.71 -p 636 -D cn=roo
-w root1 -Z -K "C:\Program Files\ibm\ldap\etc\client.kdb" -P client -s sub cn=s* cn sn
it gave me proper results
but using a JNDI API where i specify
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Specify LDAPS URL
env.put(Context.PROVIDER_URL, "ldap://"+"9.182.174.71:636");
// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=root1");
env.put(Context.SECURITY_CREDENTIALS, "root1");
DirContext ctx = new InitialDirContext(env);
SearchControls constraintssc=new SearchControls();
constraintssc.setSearchScope(SearchControls.SUBTREE_SCOPE);
// performing the search
NamingEnumeration results=ctx.search("o=ibm,c=us","cn=s*",constraintssc);
////etc.........
Its gives me an exception saying that
javax.naming.CommunicationException: simple bind failed: 9.182.174.71:636. Root
exception is javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate
Could any body help me out on this
Thank YouYou are attempting to authenticate via an SSL connection to port 636.
The message 'couldn't find trusted certificate' means that your client doesn't trust the certificate it has received from the LDAP server.
In order to establish that trust, you must export a certificate file from the LDAP server, then use Java's keytool.exe to create a keystore file using that certificate. Then your client code must reference that keystore file that you've created.
So essentially, you have to provide your program the LDAP server's credentials. "If the server's certificate looks like this, then you can trust it."
After your program trusts the certificate it receives from the server at runtime, your connection will authenticate. -
Extremely poor performance to various websites during peak hours - peering issue?
Since approximately 26 Jan 2015, we have been experiencing extremely poor performance to several specific websites during peak hours, 9pm-11pm. Page loads take many minutes (or never complete), etc. Many other sites are perfectly fine, and if I connect to the same sites at the same time through my work VPN, they perform extremly well (under 1sec). There is no correlation between OS or browser and the poor performance (tested on Windows, OSX, Linux) and speedtest typically reports over 80/80.
I've not caught any packet loss using periodic pings. Traceroutes indicate a bunch of different routes being used (I assume this is expected for CDNs), but here's one example of an obviously bad single traceroute:
$ traceroute images.dailykos.com
traceroute to fallback.global-ssl.fastly.net (23.235.46.185), 64 hops max
1 10.1.1.1 0.464ms 0.364ms 0.298ms
2 173.48.161.1 5.223ms 4.793ms 4.904ms
3 130.81.191.250 7.387ms 7.466ms 7.366ms
4 130.81.151.76 4.909ms 4.905ms 4.932ms
5 152.63.20.117 12.441ms 12.433ms 12.434ms
6 152.63.4.141 12.373ms 12.468ms 12.370ms
7 152.179.220.126 14.989ms 14.937ms 14.872ms
8 68.86.84.249 12.505ms 12.259ms 14.988ms
9 68.86.85.25 22.409ms 22.433ms 22.519ms
10 68.86.85.1 19.817ms 19.894ms 19.919ms
11 68.86.83.74 17.389ms 19.870ms 22.460ms
12 4.53.116.18 24.815ms 25.080ms 24.851ms
13 * 208.122.44.198 2849.473ms 29.832ms
14 173.231.134.18 22.430ms * 2026.736ms
The sites in question use the Fastly CDN - my theory is that the VZ-Fastly connection is under provisioned or is broken, but I'm out of my depth at this point."This is a nationwide peering/routing issue that was intentionally created by Verizon to create congestion and (1) extract priority fees from the likes of Netflix and (2) get customers to subscribe to higher speed tiers. This has been acknowledged by the FCC. Verizon is building new interconnections to remedy the problem, but it will persist for at least another 6 months."
-
How to establish an Https connection from a html client
Hi! I�m totally new to Java so my question is rather"stupid". I have an html page that sends a post to a servlet
<form name="form" action="servlet/ServletLogOn" method="post">
I want to establish an https connection between the client and the servlet. How is it?
Thanks in advance.Ignore the previous poster's reply - he was obviously mislead by my original post re: JSSE.
How you install an SSL certificate on your webserver is completely dependent on the webserver you are using. Ususally there is some functionality for doing this from the administrative interface - usually involves pasting some text from the CA's (certificate authority, e.g. Verisign) site into a text box and designating a port number for SSL traffic (use 443, it's internet standard). I've actually only done this for Netscape Enterprise Server - you may want to find a forum for users of your webserver to ask for specifics. -
I really can't figure out this problem. Search the internet tried all kinds of things, nothing help so far.
I have a Macbook Pro (Lion originally installed) running on Mavericks (all latest updates). SSD installed and the DVD tray is replaced by the original HDD.
The laptop wasn't running very smooth anymore so decided to give it a fresh Mavericks install (even though I know it's not really necessary for mac, it helped, everything is much faster except a weird internet problem came up).
After freshly installing Mavericks I couldn't get into my google account anymore, just wouldn't load. Tried Safari (use this normally) and Firefox and Chrome, this last was gave a SSL connection error, both Safari and FF said the website couldn't be loaded because the server didn't respond. For Gmail I use Mailplane which is just stuck on a white page. I tried repairing the keychain, repaired disk and disk permissions, cleaned browsers, turned off firewall and antivirus (Shopos) started in safe mode, checked time settings which were all good. Nothing of this helped. I even ended up creating a usb bootdisk for Mavericks, formatted the disk and reinstalled from the start just Mavericks and nothing else, started Safari, still the same problem. As even this didn't help I figured it's not worth reinstalling all software so put back my backup.
Now I ended up somehow only being able to use Gmail normally in Firefox, Chrome still gives SSL error and Safari can load the inbox, but I can't open any messages. I get the error there is a problem with the connection. If I try in Basic HTML mode it surprisingly does work.
You would say, just use Firefox, finished...but the thing is that sometimes random websites won't load in Firefox, when I load the same site in Safari it works perfectly.
O yes, I also tried the connect to my iPhone and use the Cellular data network, then it's no problem using Gmail in Safari normally. You would say it's a router problem, but I have another Macbook Pro (just one model later running Mountain Lion) this one works perfectly with every browser. Also my iPhone does everyting logged into the WiFi network.
You can understand I really have no clue what's going on here, I don't see any logic. I can only think of a hardware problem in my Macbook, but don't see how that could cause these problems.
I hope someone is ably to help me ?Please read this whole message before doing anything.
This procedure is a test, not a solution. Don’t be disappointed when you find that nothing has changed after you complete it.
Step 1
The purpose of this step is to determine whether the problem is localized to your user account.
Enable guest logins* and log in as Guest. Don't use the Safari-only “Guest User” login created by “Find My Mac.”
While logged in as Guest, you won’t have access to any of your documents or settings. Applications will behave as if you were running them for the first time. Don’t be alarmed by this behavior; it’s normal. If you need any passwords or other personal data in order to complete the test, memorize, print, or write them down before you begin.
Test while logged in as Guest. Same problem?
After testing, log out of the guest account and, in your own account, disable it if you wish. Any files you created in the guest account will be deleted automatically when you log out of it.
*Note: If you’ve activated “Find My Mac” or FileVault, then you can’t enable the Guest account. The “Guest User” login created by “Find My Mac” is not the same. Create a new account in which to test, and delete it, including its home folder, after testing.
Step 2
The purpose of this step is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login, by a peripheral device, by a font conflict, or by corruption of the file system or of certain system caches.
Please take this step regardless of the results of Step 1.
Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards, if applicable. Start up in safe mode and log in to the account with the problem. You must hold down the shift key twice: once when you turn on the computer, and again when you log in.
Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.
Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.
The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
Test while in safe mode. Same problem?
After testing, restart as usual (not in safe mode) and verify that you still have the problem. Post the results of Steps 1 and 2. -
Safari hangs and poor performance in MBPR (Mid 2012)
Safari hangs and poor performance in MBPR (Mid 2012)? OS X 10.10.2 is up to date
Please answer as many of the following questions as you can. You may already have answered some of them. In that case, there's no need to repeat the answers.
Back up all data before making any changes.
Have you restarted your router and your broadband device (if they're separate) since you first noticed the problem? If not, do that now and see whether there's any change.
If your browser is Safari, then from the Safari menu bar, select
Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data
and confirm. If the Downloads button (with the icon of a downward-pointing arrow) is showing in the toolbar, click it and then click Clear in the box that appears. The download history will be removed. Any change?
If you're running OS X 10.9 or later, select the Advanced tab in the Preferences window and uncheck the box marked
Stop plug-ins to save power
Any change?
Quit and relaunch the browser. Any change?
Enable guest logins* and log in as Guest. Don't use the Safari-only “Guest User” login created by “Find My Mac.”
While logged in as Guest, you won’t have access to any of your documents or settings. Applications will behave as if you were running them for the first time. Don’t be alarmed by this behavior; it’s normal. If you need any passwords or other personal data in order to complete the test, memorize, print, or write them down before you begin.
Test while logged in as Guest. Same problem?
After testing, log out of the guest account and, in your own account, disable it if you wish. Any files you created in the guest account will be deleted automatically when you log out of it.
*Note: If you’ve activated “Find My Mac” or FileVault, then you can’t enable the Guest account. The “Guest User” login created by “Find My Mac” is not the same. Create a new account in which to test, and delete it, including its home folder, after testing.
Are any other web browsers installed, and are they the same? What about other Internet applications, such as iTunes and the App Store?
If other browsers and Internet applications are also affected, follow these instructions and test. Any change?
If Parental Controls is active for any user, please turn it off and test. Any change?
If only Safari is affected, launch the Activity Monitor application and enter "web" (without the quotes) in the search box. If a process named "Safari Web Content" is shown in red or is using more than about 5% of a CPU, select it and force it to quit by clicking the X or Quit Process button in the toolbar of the window. There may be more than one such process. Any improvement?
Follow the instructions in this support article. Any change?
Open the iCloud preference pane and uncheck the box marked Photos, if it's checked. Any change?
Are there any other devices on the same network that can browse the Web, and are they affected?
If you can test Safari on another network, is it the same there?
If you connect to your router with Wi-Fi and you can also connect with Ethernet, do that and turn off Wi-Fi. Any difference?
Maybe you are looking for
-
I have run into an interesting problem. I have made several imovies and shared them through IDVD into one big movie. When they play back, one of the imovies will not stop. I have gone back to the original imovie movie and when played, it just keeps g
-
Dear All, I am facing problem while doing Cheque Printing. or (document having definite length). Cheque printing is done on Epson printer. For Particular Cheque printing I created Page Format Under "Dev. type" SAPWIN "Rel.4.x/SAPlpd 4.09+ ONLY!
-
Windows 7 Proessional 64 bit, Microsoft Word 2010 - How do I print a number 6 envelope?
I can print a #10 envelope okay but when I try to print a #6 envelope there are no selections in the printder menu for a #6 envelope. Thanks **bleep**
-
Hai all, I like to use HS+ excel Odbc driver to load data from excel file to owb. I do all the steps correctly. I created a mapping. While deploying the mapping I got the following error. "error occurred when looking up remote object <unspecified>.Em
-
Where define a report does not go directly to printer ?
Hi I have a program wich generates a report list in screen. When this program is executed in job (batch) for one user, the report is automaticaly sended to printer. Where is this configured ? If the user has a configuration so his reports are automat