SSL Session resume

WLS 6.1 (Solaris 8)
Apache 1.3
We are using an EJB to create an HTTPSConnection (SSL connection) to a
third party to retrieve data displayed in a JSP. We are using the
Weblogic SSL implementation.
I turned on the "-DSSL.debug" info and it looks like a new SSL session
is being created for each request to our third part (it goes through
the whole handshake every time).
Is there any way to have the SSL session resumed using the Weblogic
SSL implementation? During development, I was able to get the JSSE
implementation to resume session by keeping the same URL object
around...so I figured Weblogic would work the same way.
If anyone knows how the Weblogic SSL session manager works, I'd love
to hear about it. I read that SSL sessions were supposed to be fixed
back in 5.1SP10, but that sounded like it was for Weblogic clients so
maybe Weblogic "as the client" is different?
Thanks,
Chris

Hi, Chris --
The fixes to SSL session caching appear in WLS 6.1 SP11 and WLS 6.1 SP3.
A WebLogic SSL client would normally retain its current session ID;
however, this SSL session state information is associated only with the
"current thread" - which might explain in part why new SSL sessions
are being negotiated on subsequent calls to the EJB.
-- Jim
P.S. You may want to consider opening a case with WebLogic Support to
explore this question further.
Chris Snyder wrote:
>
WLS 6.1 (Solaris 8)
Apache 1.3
We are using an EJB to create an HTTPSConnection (SSL connection) to a
third party to retrieve data displayed in a JSP. We are using the
Weblogic SSL implementation.
I turned on the "-DSSL.debug" info and it looks like a new SSL session
is being created for each request to our third part (it goes through
the whole handshake every time).
Is there any way to have the SSL session resumed using the Weblogic
SSL implementation? During development, I was able to get the JSSE
implementation to resume session by keeping the same URL object
around...so I figured Weblogic would work the same way.
If anyone knows how the Weblogic SSL session manager works, I'd love
to hear about it. I read that SSL sessions were supposed to be fixed
back in 5.1SP10, but that sounded like it was for Weblogic clients so
maybe Weblogic "as the client" is different?
Thanks,
Chris--
Jim Brown
Developer Relations Engineer
BEA Support

Similar Messages

SSL Session Resume in WLS6.0sp2

When I access a WLS6.0sp2 Server via https, SSL sessions are not
resumed. Every request triggers a new handshake. The SSL relevant parts
of the config file (config.xml) look like below. Any hints on how to
motivate WLS to resumse SSL sessions are very welcome.
Thanks, Toby
<SSL ClientCertificateEnforced="false" Enabled="true"
ListenPort="7002" LoginTimeoutMillis="20000" Name="myserver"
ServerCertificateChainFileName="config/mydomain/ca.pem"
ServerCertificateFileName="config/mydomain/democert.pem"
ServerKeyFileName="config/mydomain/demokey.pem"
TrustedCAFileName="config/mydomain/tarsectestca.pem"/>

Well, for HTTPS I want to do SSL with client authentication based on a
smartcard. Thus, crypto processing happens on the slow card hardware. If every
HTTPS request requires a new SSL handshake with client authentication, I rely
very hard on the patience of my customer ;-) It is a no go. All SSL
implementation I came in touch with support SSL session resume. I understand
that there is no way to configure WLS do resume session. Can somebody elaborate
more on the plan to add this feature?
Thanks Toby
Michael Girdley wrote:
I do not believe that this is a supported feature. We plan to offer it in
the future.
Michael Girdley
BEA Systems
Learning WebLogic? http://learnweblogic.com
Buy the only book covering J2EE & WebLogic 6:
http://www.amazon.com/exec/obidos/ASIN/0130911119/learnweblogic/103-9227026-
4636613
"Tobias Murer" <[email protected]> wrote in message
news:[email protected]..
When I access a WLS6.0sp2 Server via https, SSL sessions are not
resumed. Every request triggers a new handshake. The SSL relevant parts
of the config file (config.xml) look like below. Any hints on how to
motivate WLS to resumse SSL sessions are very welcome.
Thanks, Toby
<SSL ClientCertificateEnforced="false" Enabled="true"
ListenPort="7002" LoginTimeoutMillis="20000" Name="myserver"
ServerCertificateChainFileName="config/mydomain/ca.pem"
ServerCertificateFileName="config/mydomain/democert.pem"
ServerKeyFileName="config/mydomain/demokey.pem"
TrustedCAFileName="config/mydomain/tarsectestca.pem"/>

SSL Session resumed or not?!

Hi
Is there a way to "know" whether a SSL Session is resumed (SSL resumption) or built up throug the whole handshake process?
I switched on the SSL debug mode. There I can see whether a whole handshake is done or not. But I need this information in my Java program.
Any ideas...?
thx in advance,
tom

You can get the current SSL Session id via SSLSocket.getSession().getID(), so you can compare with the previous one for equality.
Why do you need to know?

HTTPS persistence SSL session, ACN 4.2.1

Customer is experiencing a problem resulting in the ACN software resolving the host.domain.com twice. Webapplication https://host.domain.com/webapp/index.jsp. The customer uses a ACN to proxy the https request. The host.domain gets resolve to 1 of 4 available application servers (webserver). At the application login page (index.jsp) the user is successfully authenticated by the application's Login servlet on webserver 1. The user is then redirected to the select application, local to the webserver 1. It appears that when the ACN receives the response from webserver 1 with the fully qualitfying URL. The redirection cause the ACN to resolve the host.domain against DNS and as a result, the user's browser is redirected to a different webserver. The users previous session is no longer valid, breaking the client/webserver trusted relationship
If the above user uses 1 of the 4 available IP address on the DNS entry, the users successfully maintains the SSL session. The customer is migrating to a Cisco Content Engine 560 running version 4.2.1 ACN software.
I understand there are ACN features that could effect the HTTP session persistence/SSL trust. The services/features include boomerang, Reverse Proxy, content balancing. I request information on the service or feature of the ACN that could cause the problem I speak of from above.
I understand there are different methods of implementing session persistence, like sticky session and SSL sticky, but believe the ACN does provide this feature.

The customer is experiencing network issues when attempting to access our application. The customer is experiencing has been seen with a previous customers that had a similar network devices.
The customer uses a Cisco Content Engine CE-560 with Application and Content Networking Software (ACNS) version 4.2.1. The problem seems to a result of the ACNS resolving the hostname.domain.com twice. The webserver's DNS (hostname.domain.com) entry resolves to one of four available webservers (DNS round robining).
nslookup hostname.domain.com
webserver1 webserver2 webserver3 webserver4
nslookup hostname.domain.com
webserver2 webserver3 webserver4 webserver1
and so on.
All client/webserver communication is through SSL. When the customer uses the FQDN URL (https://hostname.domain.com/webapp/index.jsp) to access the application login page, the server portion of the URL is resolved to webserver1. At this time, the customer has an established HTTPS session with webserver1. Once a login servlet running on webserver1, receives the customer supplied login credentials, the servlet sends a server response 302 redirecting the customer to the selected application.
This redirection response seems to cause the ACNS to resolve the hostname.domain.com and as a result, the customer's browser is redirected to a different webserver, webserver2. The users previous session is no longer valid, causing the application to generate a false inactivity timeout.
If the customer sends a HTTPS request using anyone of the four IP address from DNS, the session is maintained and the customer does not receive the false inactivity timeout, because the session is not "broken".
The customer is migrating off of a Netscape (iPlanet) Web Proxy solution and does not experience the problem accessing the application, using the FQDN URL.
DNS caching is enabled on the customer CE.

Http.keepAlive does not turn off SSL session cache?

Hi there,
I have a web service client that uses JSSE for making web service calls via https. In an effort to debug problems, I set http.keepAlive to false, I can see from the SSL debug output that KeepAlive timer messages no longer shows up, but I still see text such as "Cached client session" and "try to reuse cached session", etc.
Should not turning off keepAlive disable the use of persistent sessions?
Thanks.
Yan

They are unrelated features.
HTTP Keep Alive allows the browser to maintain a Socket to the server and issue multiple HTTP requests over that same socket.
SSL Session caching is when an SSL Session is assigned an ID, and additional SSL connects may be established with the same ID. These additional sockets then do not need to perform the full SSL handshake, since much of the data has already been negotiated previously.

Disable non-SSL session tracking?

Hi, all,
I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
Thanks,
Dmitri.

I don't think you can do this programatically.
However I also don't think it is a problem.
Cookies are related to zone names aren't they?
http://mysite and https://mysite are two different
zones as far as cookies are concerned. One should
not be able to see the other.
It issues a new cookie for the http site you are just
navigating to. That cookie has nothing to do with
the secure site you just came from, and shouldn't be
able to tell them any info about the secure site.
I think you are worrying about something that isn't
really there.
What is your concern? That they pick up a JSESSIONID
from the cookie and can then pretend to be a
different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

SSL Session cache persistence

Hello,
I've been scratching my head for while on a problem concerning SSL session caching. Upon examining memory usage of the session cache I noticed that the number of cached sessions is reset at some point while new session are created. For example sometimes at around 300 -1500 sessions the number drops to under 10. I have set the session cache size to unlimited (via SSLSessionContext.setSessionCacheSize()) and session timeout to 24 hours (via setSessionTimeout()).
I noticed that this has probably something to do with garbage collection. I made a server application that receives SSL connections and every few seconds prints the number sessions in the cache and the amount of consumed memory (in megs). I also enabled garbace collection information printing and ran java VM with a maximum heap size of 512M. I ran a client application against it that continuously initializes a new sessions. Here's what I got:
Sessions: 484     Memory: 1.7913589477539062
[GC [DefNew: 503K->4K(576K), 0.0007350 secs] 2234K->1734K(3796K), 0.0008700 secs]
[GC [DefNew: 513K->63K(576K), 0.0009260 secs] 2243K->1793K(3796K), 0.0010680 secs]
Sessions: 490     Memory: 1.7832870483398438
[GC [DefNew: 569K->37K(576K), 0.0021150 secs] 2299K->1773K(3796K), 0.0022560 secs]
Sessions: 495     Memory: 2.1244659423828125
[GC [DefNew: 543K->37K(576K), 0.0019000 secs] 2279K->1775K(3796K), 0.0034750 secs]
[GC [DefNew: 549K->57K(576K), 0.0009080 secs] 2287K->1796K(3796K), 0.0010290 secs]
[Full GC [Tenured: 1739K->1635K(3220K), 0.0865340 secs] 1962K->1635K(3796K), [Perm : 3267K->3267K(8192K)], 0.0885000 secs]
Sessions: 6     Memory: 1.7752304077148438
[GC [DefNew: 512K->58K(576K), 0.0016310 secs] 2147K->1694K(3796K), 0.0017680 secs]
[GC [DefNew: 568K->37K(576K), 0.0009750 secs] 2204K->1678K(3796K), 0.0011110 secs]
Sessions: 12     Memory: 1.7010269165039062
[GC [DefNew: 549K->56K(576K), 0.0014310 secs] 2190K->1699K(3796K), 0.0015600 secs]Notice how the number of sessions drops from 495 to 6? And in between there's a garbage collection print "[Full GC...". Why is this? Shouldn't the session cache keep the sessions until there's either too many of the them or they get too old? Here only a few minutes have elapsed and memory consumption is under control (1 to 3 megs).

In my implementation I avoid session renegotiation as
much as possible to achieve high throughput. My goal
is to preserve sessions for the entire session
timeout time. This raises a few questions:Understood, but you also have to protect the server against resource exhaustion. It's in the client's interest to cache lots of sessions for a long time; the server's interest is to conserve resources so it can keep itself running.
You actually don't want to cache all the sessions, just the 'hot' ones, so you're better off having the SessionContext remove sessions on an LRU basis by having a finite limit, rather than just letting them be GC'd. The fact that so many sessions were collected in your runs indicates pretty severe memory usage.
(1) Is there any way to tweak this behavior? For
example can make the sessions live longer by using
some GC flags for the VM? Allocate more heap space, or cache fewer sessions.
(2) How about keeping regular references to all the
sessions in my application?That would save them from GC of course. But then you'll quickly discover that you really do need a finite limit.
(3) Is the behavior of the session cache or the inner
workings of the SSL API in general documented
somewhere?Only in the source code of JSSE, and that's only a property of Sun's JRE implementation. Session caching is not even a required feature, and J2ME implementations for example generally don't do it at all.

CSS11503/ACE 4710 - SSL session id cache

I have a couple of questions.
1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
2. What is the cache size on an ACE4710?

The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.

Proxyless clustering and SSL session state

The current 6.0 docs are a bit quiet on SSL and clustering, so can I check
          whether it is the case that when proxy-less clustering is used with SSL, a
          failover results in a new certificate exchange and crypto session
          establishment? In other words, the clustering isn't attempting to replicate
          the SSL session state or similar super-subtle strategy.
          Thanks!
          Alex Thomas
          Lehman Brothers
          London


          "Alex Thomas" <[email protected]> wrote in message
          news:[email protected]..
          > The current 6.0 docs are a bit quiet on SSL and clustering, so can I check
          > whether it is the case that when proxy-less clustering is used with SSL, a
          > failover results in a new certificate exchange and crypto session
          > establishment? In other words, the clustering isn't attempting to
          replicate
          > the SSL session state or similar super-subtle strategy.
          Alex,
          A failover will result in a new SSL connection being started. As you say
          this will mean that certificate exchange and session key exchange will occur
          again. All of the replicated state is kept at a higher level in the server
          so that we can use different SSL implementations including hardware
          accelerators.
          Regards,
          Adam

Monitoring SSL sessions/sec on CSS

Hello,
I have been trying to find the right parameter via CLI or SNMP to monitor the number of SSL sessions/sec. We are using CSS 11503 with a SSL module supporting in theory 800 to 1000 SSL sessions/sec and I'd like to know what the current load is. I am graphing already the flows/sec but this too generic.
Any help is appreciated.
Thanks,
Fabrice

Fabrice,
there might not be an exact counter for connection per seconds, but what most people do [with CSS or other devices] is capture the total number of connections every X seconds, make the difference and divide by X to get the average connection per seconds.
You could use one or combination of the following counters
CSS11503-2(debug)# sho ssl statistics | grep conn
0 Handshake started for incoming SSL connections
0 Handshake completed for incoming SSL connections
0 Handshake started for outgoing SSL connections
0 Handshake completed for outgoing SSL connections
0 TCP connections failed
0 TCP connections established
0 TCP connections originated
0 TCP connections terminated
Gilles.

SSL Session and Connection

What is the difference between SSL Session and Connection. I understand, that session is negotiation of parameters and connections are built upon the sessions. But please help me understand, how it works in practicaly as in when using a Any connect client or browser, how does it function.

How about something like:
// It appears there may be issues with TLS...
// so to prevent it from being used, we'll be
// specific...SSLv3
SSLContext context = SSLContext.getInstance("SSLv3");
context.init(kmFactory.getKeyManagers(), null, null);
SSLSocketFactory ssf = context.getSocketFactory();
com.sun.net.ssl.HttpsURLConnectionHttpsURLConnection.setDefaultSSLSocketFactory(ssf);
That do ya?
-michael

Does WLS 5.1 support SSL session reuse?

Does WLS 5.1 support SSL session reuse?
I noticed in an earlier post that WLS 4.5 doesn't. It this also true for 5.1?

Does WLS 5.1 support SSL session reuse?
I noticed in an earlier post that WLS 4.5 doesn't. It this also true for 5.1?

SSL session resumption

Hi
I tried to find out how to reuse ssl session in java, but i dont find anywhere!
Can anyone show me how to reuse it in example. thanks!

hi EJP.
Thanks for your good answer.
I try to use the session context as following
SSLContext context = SSLContext.getInstance("TLSv1");
KeyManager[] keyManagers = kmf.getKeyManagers();
SSLSessionContext scontext = context.getServerSessionContext();
scontext.setSessionTimeout(10);
scontext.setSessionCacheSize(100);
context.init(keyManagers, null, null);
but i don't see it influence the ssl socket connections to my server! The SSLSession is not store in SSLSessionContext!
Maybe i don't use it rightly. Can u tell the the right way to use it! thanks!
Edited by: 841025 on Mar 2, 2011 9:51 PM

SSL session reuse

Greetings,
I am trying to modify an ftp secure client program written in Java to reuse SSL session when it establishes SSLSocket for ftp passive data connections with a server. It appears that some of the FTP secure servers based on OpenSSL can impose a restriction to allow clients to establish data connection only if the SSL session is reused from the ftp control connection. After running some experiments with JSSE I am noticing that SSL Sessions can be reused only if connecting to the same host at the same port. As soon as I try connecting to a different port, SSL Client does not bother to reuse SSL sessions. Is this a limitation/restriction of JSSE or there is a way to get around this?
Thank you,
Paul

It is danger (easy to get attacks) if you can reuse the session for different port. There is no workaround for SunJSSE.

ACE 3.0(0) SW / LB with SSL Session-ID

Hello!
I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
Thanks.

SSL Session ID Sticky to ensure Client Persistence
1. Demonstrate the ability to provide stickiness using SSL
Session ID. To do this you will need to the Generic Protocol Parsing
framework on ACE. With the right regular expression you will be successful!!
2. Before you begin to configure the SSL Sticky group, be sure that
you have allocated resources to the sticky group. Note this done in the
Admin context.
resource-class cart
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 1.00 maximum equal-to-min
context Lab-Cart-11
allocate-interface vlan 211
allocate-interface vlan 411
member cart
3. Create an SSL-v3 sticky group and associate the serverfarm. Good
idea to configure a sticky timeout value. This specifies the period of time
that the ACE keeps the sticky information in the sticky table. Note the ACE
resets the timer each time ACE opens connections matching that entry. Also
configure the Layer 4 sticky parameters for 32 bytes session ID.
sticky layer4-payload ssl-v3
timeout 600
serverfarm HTTPS-FARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
When a new session is established between client and server, the server
generates a session id. The session id is an arbitrary sequence of bytes.
The length of the session id is 16 bytes for SSLv2 sessions and between 1
and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
must be unique for the server. Additionally, the session id is transmitted
in the clear when reusing the session so it must not contain sensitive
information.
4. Create a class-map to match the layer 4 payload.
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
5. Create a new generic load balance policy map and assoiciate the
sticky-serverfarm understand the class.
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
6. Change to the client-vips policy map to represent the new
SSL-v3-Sticky policy you just created
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
7. Verify the VIP is accessible by trying to hit the VIP.
8. View the connection using the show cons command.
Pod1-ACE/Lab-Cart-11# show conn
total current connections : 1
conn-id np dir proto vlan source destination
state
----------+--+---+-----+----+---------------------+---------------------+---
---+
10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
ESTAB
9. Interesting I can see that the first connection has been setup. Why
is ACE not load balancing the connection to the server?
10. Great I need to configure a L7 parameter map with a max parse-length
parameter-map type generic SSL-v3
set max-parse-length 70
11. Associate the parameter map to the client-vips policy map
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
appl-parameter generic advanced-options SSL-v3
12. Verify the VIP is now accessible by trying to hit the VIP.

SSL Session resume

Similar Messages

Maybe you are looking for