hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject RE: SSL connection
Date Mon, 02 Dec 2013 17:44:41 GMT
"Joan Balagueró" <joan.balaguero@grupoventus.com> wrote:
>Oleg,
>
>What I would mean was:
>
>1. I send 8 https requests, then I have 8 connections in the pool.
>
>2. I have a keep-alive of 20 seconds. Then, I wait 1 min.
>
>3. After 1 min, all connections should be removed from the pool (due to
>my IdleConnectionHandler, that works fine)
>
>4. Then, I shutdown tomcat.
>
>5. Then, I expect no messages because there are no connections in pool.
>But I see exactly 8 messages like this:
>> > main, called close()
>> > main, called closeInternal(true)
>> > main, SEND TLSv1 ALERT:  warning, description = close_notify main,
>> > WRITE: TLSv1 Alert, length = 18 main, called
>> > closeSocket(selfInitiated)
>
>6. If I repeat the process sending 5 requests, then I see 5 messages.
>One per connection.
>
>
>That's why I though this was something related to Http pool, as if the
>connections were not expired. But if you say that you don't print these
>messages, then I am a bit lost (because tomcat guys also say that they
>don't print these messages, and me neither).
>
>Anyway, thanks,
>
>Joan.
>
>
>-----Mensaje original-----
>De: Oleg Kalnichevski [mailto:olegk@apache.org] 
>Enviado el: lunes, 2 de diciembre de 2013 16:12
>Para: HttpClient User Discussion
>Asunto: Re: SSL connection
>
>On Mon, 2013-12-02 at 11:16 +0100, Joan Balagueró wrote:
>> Oleg,
>> 
>> I close the connection pool by using 
>"this.objHttp.getConnectionManager().shutdown();"
>> 
>> About the expired connections, I have an "idleConnectionsHandler"
>that every 5 seconds removes expired connections and those that take
>idle longer than 5 seconds:
>> 
>>    private ClientConnectionManager cm;
>>    (...)
>>    this.cm.closeExpiredConnections();
>>    this.cm.closeIdleConnections(5, TimeUnit.SECONDS);
>>   (...)
>> 
>> That's why I though that the pool should be empty after 1 minute.
>> 
>> Regards,
>> 
>> Joan.
>> 
>
>Nothing in the connection pool can survive a call to #shutdown(). Can
>it be that you have some other processes connected to the same Tomcat
>instance?
>
>Oleg  
>
>> 
>> -----Mensaje original-----
>> De: Oleg Kalnichevski [mailto:olegk@apache.org] Enviado el: lunes, 2 
>> de diciembre de 2013 10:36
>> Para: HttpClient User Discussion
>> Asunto: Re: SSL connection
>> 
>> On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote:
>> > Hello Oleg,
>> > 
>> > Thanks for you help. Everything works fine now.
>> > 
>> > Just one more question: when I shutdown Tomcat, I see this message
>in catalina.out (ssl debug enabled):
>> > 
>> > main, called close()
>> > main, called closeInternal(true)
>> > main, SEND TLSv1 ALERT:  warning, description = close_notify main,
>> > WRITE: TLSv1 Alert, length = 18 main, called
>> > closeSocket(selfInitiated)
>> > 
>> > 
>> > If I send 8 https requests, this message appears 8 times when
>shutting down tomcat. It seems that HttpClient is closing the http
>connection pool (in fact, our app closes it). But I have a keep-alive
>of 20 seconds, and I'm waiting more than 1 minute (from the last
>request sent) before shutting down tomcat (so I understand that all
>connections should be expired and removed from the pool).
>> > 
>> > I suppose I'm missing something. Could you clarify me this point,
>please?
>> > 
>> > Thanks,
>> > 
>> > Joan.
>> > 
>> 
>> Joan
>> 
>> I do not know SSL protocol that intimately, but it looks like this
>message basically means that the server had to initiate connection
>shutdown and notify the client. I do not think there is anything wrong
>with that. 
>> 
>> Please note that expired connections in the client connection pool do
>not get evicted automatically if the pool is inactive. One needs to
>explicitly call #closeExpired to make it happen.
>> 
>> How exactly do you close the connection pool on the client side?
>> 
>> Oleg
>> 
>> > 
>> > -----Mensaje original-----
>> > De: Oleg Kalnichevski [mailto:oleg@ok2consulting.com] Enviado el: 
>> > jueves, 28 de noviembre de 2013 22:12
>> > Para: HttpClient User Discussion
>> > Asunto: Re: SSL connection
>> > 
>> > On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote:
>> > > Hello Oleg,
>> > > 
>> > > Thanks. I've been seeing some HttpClient samples. Some of them
>set the trustStore/keyStore directly to the SSLSocketFactory.
>> > 
>> > SSLSocketFactory constructors internally create an SSLContext
>instance and initialize it with the trust / key material passed as
>parameters. 
>> > 
>> > >  And others create an SSLContext with them and then set this
>SSLContext to the SSLSocketFactory. Any advantage from one respect to
>the other?
>> > > 
>> > 
>> > No, not really. Simply a matter of convenience.
>> > 
>> > > Furthermore, when using SSLContext we need to create an instance
>using the secure socket protocol. Is there any way to accept all secure
>protocols?
>> > > 
>> > 
>> > I am not sure what you mean by that. Exactly wha
>> > 
>> > > Thanks,
>> > > 
>> > > Joan.
>> > > 
>> > > -----Mensaje original-----
>> > > De: Oleg Kalnichevski [mailto:olegk@apache.org] Enviado el: 
>> > > jueves,
>> > > 28 de noviembre de 2013 10:24
>> > > Para: HttpClient User Discussion
>> > > Asunto: Re: SSL connection
>> > > 
>> > > On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote:
>> > > > Hello,
>> > > > 
>> > > >  
>> > > > 
>> > > > I have an application (servlet running on tomcat) that must
>send 
>> > > > a https request to a server that requires client
>authentication.
>> > > > 
>> > > >  
>> > > > 
>> > > > Tomcat has correctly installed the truststore and keystore. But
>
>> > > > I understand that when our app sends the https request, I have 
>> > > > to attach the client authentication required by the server.
>> > > > 
>> > > >  
>> > > > 
>> > > > Can anyone address to any doc where I can see how to do this?
>> > > > 
>> > > >  
>> > > > 
>> > > > Thanks,
>> > > > 
>> > > >  
>> > > > 
>> > > > J. 
>> > > > 
>> > > 
>> > > There is enough good material on SSL fundamentals on the web.
>Just google it out. 
>> > > 
>> > > As far as HC APIs are concerned SSLContextBuilder should help you
>set up the correct SSL context for your application. Most likely you
>will need to load the private key and add it to the context using this
>method [1].
>> > > 
>> > > Oleg
>> > > 
>> > > [1]
>> > >
>http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidoc
>> > > s/
>> > > or
>> > >
>g/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28ja
>> > > va
>> > > .s
>> > >
>ecurity.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyS
>> > > tr
>> > > at
>> > > egy%29
>> > > 
>> > > >  
>> > > > 
>> > > > 
>> > > > 
>> > > > 
>> > > > 
>> > > 
>> > > 
>> > > 
>> > >
>------------------------------------------------------------------
>> > > --
>> > > - To unsubscribe, e-mail: 
>> > > httpclient-users-unsubscribe@hc.apache.org
>> > > For additional commands, e-mail: 
>> > > httpclient-users-help@hc.apache.org
>> > > 
>> > > 
>> > > 
>> > >
>------------------------------------------------------------------
>> > > --
>> > > - To unsubscribe, e-mail: 
>> > > httpclient-users-unsubscribe@hc.apache.org
>> > > For additional commands, e-mail: 
>> > > httpclient-users-help@hc.apache.org
>> > > 
>> > 
>> > 
>> > 
>> >
>--------------------------------------------------------------------
>> > - To unsubscribe, e-mail:
>httpclient-users-unsubscribe@hc.apache.org
>> > For additional commands, e-mail:
>httpclient-users-help@hc.apache.org
>> > 
>> > 
>> > 
>> >
>--------------------------------------------------------------------
>> > - To unsubscribe, e-mail:
>httpclient-users-unsubscribe@hc.apache.org
>> > For additional commands, e-mail:
>httpclient-users-help@hc.apache.org
>> > 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>> 
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>For additional commands, e-mail: httpclient-users-help@hc.apache.org

After step 3 get pool stats to verify.

Oleg

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message