hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kalnichevski, Oleg" <oleg.kalnichev...@bearingpoint.com>
Subject RE: SSL - poor performance
Date Mon, 16 Feb 2004 13:58:57 GMT
> What do you think of this solution? Could it bring up other problems?

I see no problems with this approach. Alternatively you may consider making a singleton out
of the SSLContext instance.

Cheers,

Oleg


-----Original Message-----
From: Tentrup Stephan (P/BA (INFBA))
[mailto:Stephan.Tentrup@tenovis.com]
Sent: Monday, February 16, 2004 13:08
To: Commons HttpClient Project
Subject: RE: SSL - poor performance


Hi!

OK, thanks for your help, I found a solution!
With the system property javax.net.debug=ssl I saw that the SSL sessions were not cached.
This is because the createSocket method in EasySSLProtocolSocketFactory always creates a new
SSLContext so that the SSL sessions cannot be reused and the handshake must be performed with
every request. In order to solve this I moved the call of getInstance() and init() (both of
SSLContext) to the constructor of EasySSLProtocolSocketFactory.
What do you think of this solution? Could it bring up other problems?

Stephan



-----Original Message-----
From: Kalnichevski, Oleg [mailto:oleg.kalnichevski@bearingpoint.com] 
Sent: Thursday, February 12, 2004 3:36 PM
To: Commons HttpClient Project
Subject: RE: SSL - poor performance


Stephan,
Most likely the problem has nothing to do with HttpClient as such. Please refer to the 'known
problems' / 'troubleshooting' section of the HttpClient SSL guide to find out whether the
problem is related to some peculiarities of your JSSE / JDK / target server configuration.

http://jakarta.apache.org/commons/httpclient/sslguide.html

HTH,

Oleg

-----Original Message-----
From: Tentrup Stephan (P/BA (INFBA)) [mailto:Stephan.Tentrup@tenovis.com]
Sent: Thursday, February 12, 2004 15:18
To: commons-httpclient-dev@jakarta.apache.org
Subject: SSL - poor performance


Hi,

I am using HttpClient (2.0RC3) to make HTTP requests over SSL. At first I specified the keystore
with the trusted certificates by the system properties javax.net.ssl.trustStore=/path/to/keystorefile
and javax.net.ssl.trustStorePassword=password
The performance was good in this case but I wanted to manage the keystore(s) in the java code.
So I used the EasySSLProtocolSocketFactory and EasyX509TrustManager classes from the contrib
directory and adjusted them to my needs. The functionality is alright but the time cost is
very much higher than with the system property method. I added debug messages at various positions
to see where the time is lost and I found that between the end of the checkServerTrusted method
in EasyX509TrustManager and the end of the method executeMethod in HttpClient the highest
amount of time gets lost. I donĀ“t know what is happening between these two points. Any hints?

Stephan


// EasyX509TrustManager.java
/*
 * ====================================================================
 *
 * The Apache Software License, Version 1.1
 *
 * Copyright (c) 2002-2003 The Apache Software Foundation.  All rights
 * reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution, if
 *    any, must include the following acknowlegement:
 *       "This product includes software developed by the
 *        Apache Software Foundation (http://www.apache.org/)."
 *    Alternately, this acknowlegement may appear in the software itself,
 *    if and wherever such third-party acknowlegements normally appear.
 *
 * 4. The names "The Jakarta Project", "Commons", and "Apache Software
 *    Foundation" must not be used to endorse or promote products derived
 *    from this software without prior written permission. For written
 *    permission, please contact apache@apache.org.
 *
 * 5. Products derived from this software may not be called "Apache"
 *    nor may "Apache" appear in their names without prior written
 *    permission of the Apache Group.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 * [Additional notices, if required by prior licensing conditions]
 *
 */

package stephan.httpclient.tutorial;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;

import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * <p>
 * EasyX509TrustManager unlike default {@link X509TrustManager} accepts 
 * self-signed certificates. 
 * </p>
 * <p>
 * This trust manager SHOULD NOT be used for productive systems 
 * due to security reasons, unless it is a concious decision and 
 * you are perfectly aware of security implications of accepting 
 * self-signed certificates
 * </p>
 * 
 * @author <a href="mailto:adrian.sutton@ephox.com">Adrian Sutton</a>
 * @author <a href="mailto:oleg@ural.ru">Oleg Kalnichevski</a>
 * 
 * DISCLAIMER: HttpClient developers DO NOT actively support this component.
 * The component is provided as a reference material, which may be inappropriate
 * to be used without additional customization.
 */

public class EasyX509TrustManager implements X509TrustManager
{	
	private KeyStore keystore;
	
    private X509TrustManager standardTrustManager = null;

    /** Log object for this class. */
    private static final Log LOG = LogFactory.getLog(EasyX509TrustManager.class);

    /**
     * Constructor for EasyX509TrustManager.
     */
    public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException
{
        super();
        TrustManagerFactory factory = TrustManagerFactory.getInstance("SunX509");
        LOG.debug("factory init start");
        factory.init(keystore);
        LOG.debug("factory init finished");
        this.keystore = keystore;
        TrustManager[] trustmanagers = factory.getTrustManagers();
        if (trustmanagers.length == 0) {
            throw new NoSuchAlgorithmException("SunX509 trust manager not supported");
        }
        this.standardTrustManager = (X509TrustManager)trustmanagers[0];
    }

    /**
     * @see com.sun.net.ssl.X509TrustManager#getAcceptedIssuers()
     */
    public X509Certificate[] getAcceptedIssuers() {
        return this.standardTrustManager.getAcceptedIssuers();
    }

	/* (non-Javadoc)
	 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[],
java.lang.String)
	 */
	public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException
	{
			this.standardTrustManager.checkClientTrusted(certificates, authType);	
	}

	/* (non-Javadoc)
	 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[],
java.lang.String)
	 */
	public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException
	{
		if ((certificates != null) && LOG.isDebugEnabled()) {
			LOG.debug("Server certificate chain:");
			for (int i = 0; i < certificates.length; i++) {
				LOG.debug("X509Certificate[" + i + "]=" + certificates[i]);
			}
		}
		
		// print out the content of the truststore
		try
		{
			Enumeration aliases = keystore.aliases();
			int number = 0;
			while(aliases.hasMoreElements())
			{
				number++;
				LOG.debug("number "+ (number));
				String alias = (String) aliases.nextElement();
				Certificate[] trustedCertificates = keystore.getCertificateChain(alias);
				Certificate trustedCertificate = keystore.getCertificate(alias);
				if(trustedCertificate != null)
				{
					LOG.debug("Trusted Certificate= "+trustedCertificate);
				}

			}
			LOG.debug("number of certificates in keystore: "+number);
			
		} catch (KeyStoreException e1)
		{
			LOG.debug(e1.getMessage());
			e1.printStackTrace();
		}
		
		this.standardTrustManager.checkServerTrusted(certificates, authType);
		LOG.debug("Certificate is valid.");
	}
}


// EasySSLProtocolSocketFactory.java
/*
 * ====================================================================
 *
 * The Apache Software License, Version 1.1
 *
 * Copyright (c) 2002-2003 The Apache Software Foundation.  All rights
 * reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution, if
 *    any, must include the following acknowlegement:
 *       "This product includes software developed by the
 *        Apache Software Foundation (http://www.apache.org/)."
 *    Alternately, this acknowlegement may appear in the software itself,
 *    if and wherever such third-party acknowlegements normally appear.
 *
 * 4. The names "The Jakarta Project", "Commons", and "Apache Software
 *    Foundation" must not be used to endorse or promote products derived
 *    from this software without prior written permission. For written
 *    permission, please contact apache@apache.org.
 *
 * 5. Products derived from this software may not be called "Apache"
 *    nor may "Apache" appear in their names without prior written
 *    permission of the Apache Group.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 * [Additional notices, if required by prior licensing conditions]
 *
 */

package stephan.httpclient.tutorial;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Enumeration;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;

import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * <p>
 * EasySSLProtocolSocketFactory can be used to creats SSL {@link Socket}s 
 * that accept self-signed certificates. 
 * </p>
 * <p>
 * This socket factory SHOULD NOT be used for productive systems 
 * due to security reasons, unless it is a concious decision and 
 * you are perfectly aware of security implications of accepting 
 * self-signed certificates
 * </p>
 * 
 * @author <a href="mailto:oleg@ural.ru">Oleg Kalnichevski</a>
 * 
 * DISCLAIMER: HttpClient developers DO NOT actively support this component.
 * The component is provided as a reference material, which may be inappropriate
 * to be used without additional customization.
 */

public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory {

    /** Log object for this class. */
    private static final Log LOG = LogFactory.getLog(EasySSLProtocolSocketFactory.class);
    
    private static TrustManager trustManagers[];

    /**
     * Constructor for EasySSLProtocolSocketFactory.
     * 
     * Code sample:
     *  
     *     <blockquote>
     *     Protocol easyhttps = new Protocol( 
     *         "https", new EasySSLProtocolSocketFactory(), 443);
     *
     *     HttpClient client = new HttpClient();
     *     client.getHostConfiguration().setHost("localhost", 443, easyhttps);
     *     </blockquote>
     */
    public EasySSLProtocolSocketFactory() {
        super();
        LOG.info("Constructor of EasySSLProtocolSocketFactory");
        
		try {
			// number of keystores to use
			int keyStoreNumber = 4;
        	
			// filename and password of keystores
			String[] keyStoreFileNames = new String[keyStoreNumber];
			String[] keyStorePasswd = new String[keyStoreNumber];
			keyStoreFileNames[0] = "C:/SSL/opensslbin/openssl/keystore";
			keyStorePasswd[0] = "...";
			keyStoreFileNames[1] = "C:/SSL/opensslbin/openssl/keystoreapphoneserver";
			keyStorePasswd[1] = "...";
			keyStoreFileNames[2] = "C:/SSL/opensslbin/openssl/thawtekeystore";
			keyStorePasswd[2] = "...";
			keyStoreFileNames[3] = "C:/SSL/opensslbin/openssl/verisign-website-keystore";
			keyStorePasswd[3] = "...";
			
			KeyStore tempKeyStore;
			File tempFile;
			FileInputStream tempFileIn;
        	
			// the data of all keystores will be stored in overallKeyStore
			KeyStore overallKeyStore = KeyStore.getInstance("JKS");
			overallKeyStore.load(null, null);
        	
			int aliasNumbers = 0;
			// go through the list of keystores
			for(int i = 0; i < keyStoreFileNames.length; i++)
			{
				// open keystore
				tempKeyStore = KeyStore.getInstance("JKS");
				tempFile = new File(keyStoreFileNames[i]);
				tempFileIn = new FileInputStream(tempFile);
				tempKeyStore.load(tempFileIn, keyStorePasswd[i].toCharArray());
				tempFileIn.close();
				// get entry
				Enumeration aliases = tempKeyStore.aliases();
				while(aliases.hasMoreElements())
				{
					aliasNumbers++;
					String alias = (String) aliases.nextElement();
					Certificate cert = tempKeyStore.getCertificate(alias);
					if(cert != null)
					{
						// write entry into overallKeyStore
						overallKeyStore.setCertificateEntry(new Integer(aliasNumbers).toString(), cert);
					}
				}
			}
			
			File fileOut = new File("C:/SSL/opensslbin/openssl/overallkeystore");
			FileOutputStream fileOutStream = new FileOutputStream(fileOut);
			overallKeyStore.store(fileOutStream, "...".toCharArray());
			fileOutStream.close();
        	
			trustManagers = new TrustManager[1];
			trustManagers[0] = new EasyX509TrustManager(overallKeyStore);
			LOG.info("Constructor ready");
		} catch (Exception e) {
			LOG.error(e.getMessage(), e);
			throw new RuntimeException(e.toString());
		}
    }

    private static SSLSocketFactory getEasySSLSocketFactory() {
        SSLContext context = null;
        try
        {
			LOG.debug("getEasySSLSocketFactory start");
			context = SSLContext.getInstance("SSL");
			context.init(null, trustManagers, null);
			LOG.debug("getEasySSLSocketFactory ready");
		} catch (Exception e) {
			LOG.error(e.getMessage(), e);
			throw new RuntimeException(e.toString());
		}
        return context.getSocketFactory();
    }


    /**
     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
     */
    public Socket createSocket(
        String host,
        int port,
        InetAddress clientHost,
        int clientPort)
        throws IOException, UnknownHostException {

        Socket socket = getEasySSLSocketFactory().createSocket(
            host,
            port,
            clientHost,
            clientPort
        );
        return socket;
    }

    /**
     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
     */
    public Socket createSocket(String host, int port)
        throws IOException, UnknownHostException {
        return getEasySSLSocketFactory().createSocket(
            host,
            port
        );
    }

    /**
     * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
     */
    public Socket createSocket(
        Socket socket,
        String host,
        int port,
        boolean autoClose)
        throws IOException, UnknownHostException {
        return getEasySSLSocketFactory().createSocket(
            socket,
            host,
            port,
            autoClose
        );
    }
}

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message