hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: SSL socket timeouts with SolrJ usage of HttpClient
Date Thu, 09 Apr 2015 20:15:33 GMT
Hi Oleg,

Can you verify that the following code is not setting any parameter that
will have no effect because of the context in which I'm setting it?  It's
not easy to determine this without looking through much code.

>>>>>>
    // Initialize standard solr-j.
    // First, we need an HttpClient where basic auth is properly set up.
    connectionManager = new PoolingHttpClientConnectionManager();
    connectionManager.setMaxTotal(1);
    connectionManager.setDefaultSocketConfig(SocketConfig.custom()
      .setTcpNoDelay(true)
      .setSoTimeout(socketTimeout)
      .build());

    SSLConnectionSocketFactory myFactory;
    if (keystoreManager != null)
    {
      myFactory = new
SSLConnectionSocketFactory(keystoreManager.getSecureSocketFactory(),
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    }
    else
    {
      // Use the "trust everything" one
      myFactory = new
SSLConnectionSocketFactory(KeystoreManagerFactory.getTrustingSecureSocketFactory(),SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    }

    RequestConfig.Builder requestBuilder = RequestConfig.custom()
      .setCircularRedirectsAllowed(true)
      .setSocketTimeout(socketTimeout)
      .setStaleConnectionCheckEnabled(true)
      .setExpectContinueEnabled(true)
      .setConnectTimeout(connectionTimeout)
      .setConnectionRequestTimeout(socketTimeout);

    HttpClientBuilder clientBuilder = HttpClients.custom()
      .setConnectionManager(connectionManager)
      .setMaxConnTotal(1)
      .disableAutomaticRetries()
      .setDefaultRequestConfig(requestBuilder.build())
      .setRedirectStrategy(new DefaultRedirectStrategy())
      .setSSLSocketFactory(myFactory)
      .setRequestExecutor(new HttpRequestExecutor(socketTimeout));


    if (userID != null && userID.length() > 0 && password != null)
    {
      CredentialsProvider credentialsProvider = new
BasicCredentialsProvider();
      Credentials credentials = new UsernamePasswordCredentials(userID,
password);
      if (realm != null)
        credentialsProvider.setCredentials(new
AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, realm), credentials);
      else
        credentialsProvider.setCredentials(AuthScope.ANY, credentials);

      clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
    }

    HttpClient localClient = clientBuilder.build();
<<<<<<

I'm also getting warnings now for setStaleConnectionCheckEnabled(true).  It
looks like this is now a connection parameter too?  Will all of my
setStaleConnectionCheckEnabled(true) calls now be invalid?

Karl


On Thu, Apr 9, 2015 at 3:03 PM, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Thu, 2015-04-09 at 10:41 -0400, Karl Wright wrote:
> > Hi Oleg,
> >
> > I've been looking at the tickets for potential issues with SSL socket
> > timeout values not being honored in some versions of HttpClient, and I
> must
> > say I'm not clear where things stand.
> >
> > I have a ManifoldCF user who is seeing socket read timeouts when using
> > SSL.  The stack in that case involves the Solr client library (SolrJ).  I
> > am passing in an HttpClient instance that's already built:
> >
> > >>>>>>
> >     RequestConfig.Builder requestBuilder = RequestConfig.custom()
> >       .setCircularRedirectsAllowed(true)
> >       .setSocketTimeout(socketTimeout)
> >       .setStaleConnectionCheckEnabled(true)
> >       .setExpectContinueEnabled(true)
> >       .setConnectTimeout(connectionTimeout)
> >       .setConnectionRequestTimeout(socketTimeout);
> >
> >       HttpClientBuilder clientBuilder = HttpClients.custom()
> >         .setConnectionManager(connectionManager)
>
> Karl,
> If one explicitly assigns an already initialized connection manager
> instance basically all connection manager parameters have no effect.
> Please try setting default SocketConfig on connection manager directly.
>
> Oleg
>
>
> >         .setMaxConnTotal(1)
> >         .disableAutomaticRetries()
> >         .setDefaultRequestConfig(requestBuilder.build())
> >         .setRedirectStrategy(new DefaultRedirectStrategy())
> >         .setSSLSocketFactory(myFactory)
> >         .setRequestExecutor(new HttpRequestExecutor(socketTimeout))
> >         .setDefaultSocketConfig(SocketConfig.custom()
> >           .setTcpNoDelay(true)
> >           .setSoTimeout(socketTimeout)
> >           .build()
> >         );
> >
> >
> >     if (userID != null && userID.length() > 0 && password !=
null)
> >     {
> >       CredentialsProvider credentialsProvider = new
> > BasicCredentialsProvider();
> >       Credentials credentials = new UsernamePasswordCredentials(userID,
> > password);
> >       if (realm != null)
> >         credentialsProvider.setCredentials(new
> > AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, realm), credentials);
> >       else
> >         credentialsProvider.setCredentials(AuthScope.ANY, credentials);
> >
> >       clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
> >     }
> >
> >     HttpClient localClient = clientBuilder.build();
> > <<<<<<
> >
> > It is remotely possible that SolrJ is modifying a parameter in the
> client,
> > which I am aware would invalidate the builder-based configuration.  So my
> > question is simple: IF the HttpClient instance is *not* being configured
> in
> > SolrJ, would you expect the socket timeout to be honored for SSL
> requests,
> > on the current codebase?
>
> yes.
>
> > Was there ever a time when that was not true?  If
>
> No.
>
> > there's a buried default SSL socket timeout value that would be used if
> > configuration was overridden by setting a parameter, what is that value?
> >
>
> SSL handshake as well as CONNECT message exchange use socket timeout set
> by the connection manager. Request level settings apply only once a
> connection has been fully established and routed.
>
> Hope this helps.
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message