axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davanum Srinivas" <dava...@gmail.com>
Subject Re: Axis 1.x JSSESocketFactory missing Socket timeout for connect() and initial SSL handshake
Date Fri, 10 Nov 2006 20:36:24 GMT
Please try the CommonsHTTPSender. See wiki for more info.

-- dims

On 11/10/06, Charbonneau, Pierre-Hugues
<pierre-hugues.charbonneau@cgi.com> wrote:
> Hi,
>
> I did review the data collected following an outage on a platform I'm working on and
made the following findings for HTTPS / SSL requests. We are using Axis 1.2 but issue exist
in Axis 1.4 as well.
>
> - The timeout setup with Axis stub is only effective during a transaction but not during
the actual physical connection e.g Socket.connect() operation.
>
> - The secure implementation of Axis (SSL) has limitations regarding timeout and Socket
creation. As mentioned, the timeout is effective during HTTPS requests only but not for the
Socket creation & initial SSL handshake. Find below the key technical facts & findings
after code review of the open source Apache Axis API 1.x
>
> 1) Axis is of course using a different Socket factory for secure and non secure Sockets.
We are using HTTPS / SSL so the JSSE Factory is used instead of the default one. The timeout
problem we are discussing right now is isolated to the JSSE / SSL Socket factory only.
> 2) The Axis JSSE Factory implementation does not implement any timeout during the Socket
creation / connection as well as initial SSL handshake.
> 4) The problem we are discussing right now is isolated to HTTPS / SSL only. Axis for
HTTP does not have such lack of timeout for the Socket.connect().
>
>
> Here is the flow:
> org.apache.axis.transport.http.HTTPSender
>
>
> 1) First HTTPSender is called for HTTPS request:
> 2) getSocket() method is called to create new SSL socket
> 3) We now obtain the Factory >> SocketFactory factory = SocketFactoryFactory.getFactory(protocol,
options); // Which is JSSESocketFactory in our case
> 4) Now we obtain a new Socket >> Socket sock = factory.create(host, port, otherHeaders,
useFullURL);
> 5) Then finally we setup the SO timeout within HTTP Sender >> if(timeout > 0)
sock.setSoTimeout(timeout);
>
> The problem is with step 4 and 5. As you can see, we setup the timeout on the Socket
after the Socket creation. That means such timeout is not passed or even referenced within
JSSESocketFactory. So this timeout will only help read() write() operation after initial SSL
Socket creation.
>
>
> Now, find below the JSSE Facory code missing the timeout:
>
> org.apache.axis.components.net.JSSESocketFactory.create()
> .............
> sslFactory.createSocket(host, port);
> .................
>
> As you can see, the JSSE SSL Socket Factory is not using the "disconnected" approach
of JDK 1.4 for creating socket. That means no timeout value is passed when attempt an initial
TCP / IP connection between Server A and Server B.
>
> Timeout should be added like the DefaulFactory used for non secure HTTP request.
>
> org.apache.axis.components.net.DefaultSocketFactory.create()
> .........
> sock = create(host, port, timeout);
> ...........
> Which is using passing such timeout to JDK 1.4 connect() method:
>
> Object address = inetConstructor.newInstance(new Object[] {
>  host, new Integer(port)
>  });
>  sock = (Socket)socketConstructor.newInstance(new Object[0]);
>  connect.invoke(sock, new Object[] {
>  address, new Integer(timeout)
>  });
>
>
> Please let us know is there is any existing patch for this issue.
>
> Thanks.
> Pierre-Hugues
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>


-- 
Davanum Srinivas : http://www.wso2.net (Oxygen for Web Service Developers)

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message