harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gerald Jerome <gerald.jer...@verizonbusiness.com>
Subject [classlib][xnet] Problem using SSLSocketImpl behind load balancer
Date Tue, 10 Apr 2007 19:21:20 GMT
Hello, we are using the Apache Harmony SSLSocket classes to solve a problem
we were having with SSL renegotiation.  However, recently our production
admin noticed that our SSL client was not automatically failing over to a
secondary machine that exists behind a load balancer or redistributor in
cases where a server goes down (either unexpectedly or for maintenance).  We
are using the Sun JVM and not the Apache Harmony version.  He mentions the
following: 

Our investigation found that once Java based clients (both standalone
applications, and servlets) have performed the first network access (i.e.
urlconnection, parsing of xml document with external references, etc) they
cache DNS settings, so any subsequent client request will use its old DNS
information even if the real DNS settings have changed. 

To reset everything, you have to restart the client application since the
default JVM setting is to cache forever.

The InetAddress class has a cache to store successful as well as
unsuccessful host name resolutions. The positive caching is there to guard
against DNS spoofing attacks. 

He goes on to discuss how the caching can be disabled.  I know your
SSLSocket implementation uses SSLEngine and does low-level socket based
communication so I did not think his analysis may fit our situation.
Furthermore, I am not convinced that we are having this problem but our
development and test environments do not have a distributor/load balancer in
front of the actual host machines.  I know in production we are configured
to connect to the distributor, not one of the actual hosts.  I am wondering
if you were aware of any caching of DNS information that may be going on
inside the SSLSocket class and dependant code that we are using using?  I
could not find any references to the InetAddress class mentioned above in
any of the Harmony source I have.  The x-net.jar file that we are using has
a last modified date of October 28, 2006 8:27:58 PM. The last modified date
of luni.jar is the same.  These are the only two Apache Harmony libraries we
are using.  Any information you have pertaining to this problem is greatly
appreciated

Regards,

Gerald Jerome

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message