Return-Path: X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5551210ED3 for ; Mon, 2 Dec 2013 18:43:59 +0000 (UTC) Received: (qmail 52137 invoked by uid 500); 2 Dec 2013 18:43:59 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 52115 invoked by uid 500); 2 Dec 2013 18:43:59 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 52107 invoked by uid 99); 2 Dec 2013 18:43:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Dec 2013 18:43:58 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of joan.balaguero@grupoventus.com designates 188.165.229.37 as permitted sender) Received: from [188.165.229.37] (HELO marte.feelhosting.com) (188.165.229.37) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Dec 2013 18:43:52 +0000 Received: from Ventus (67.183.216.87.static.jazztel.es [87.216.183.67]) by marte.feelhosting.com (Postfix) with ESMTPA id 9E53E232CD for ; Mon, 2 Dec 2013 19:43:30 +0100 (CET) From: =?UTF-8?Q?Joan_Balaguer=C3=B3?= To: "'HttpClient User Discussion'" References: <010701ceeb9d$ea4e0ea0$beea2be0$@grupoventus.com> <1385630627.32563.16.camel@ubuntu> <006b01ceec6d$9c54da00$d4fe8e00$@grupoventus.com> <1385673131.7056.5.camel@ubuntu> <001401ceee1e$ddbec660$993c5320$@grupoventus.com> <1385976963.844.6.camel@ubuntu> <009d01ceef47$9cef0670$d6cd1350$@grupoventus.com> <1385997095.844.10.camel@ubuntu> <017901ceef85$9bf7f310$d3e7d930$@grupoventus.com> In-Reply-To: Subject: RE: SSL connection Date: Mon, 2 Dec 2013 19:43:31 +0100 Message-ID: <019001ceef8e$66451140$32cf33c0$@grupoventus.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIXVS0Gcr7aboP2xgFs9aCJNtnzVAHCqNcEAfVFT/wBk8PxSAKEb8deAyXq1fIB6ClxhAEAR6TuAlmKUKUB6v5JnZkfWbiw Content-Language: es X-Virus-Checked: Checked by ClamAV on apache.org Hello, Yes, ssl debug is enabled. But what we are discussing now is why 'someone' is closing 8 http = connections that should be already closed. I'll do what Oleg proposes, inspect the pool before shutting down = tomcat. Thanks, Joan. -----Mensaje original----- De: thc202@gmail.com [mailto:thc202@gmail.com]=20 Enviado el: lunes, 2 de diciembre de 2013 19:40 Para: HttpClient User Discussion Asunto: Re: SSL connection Hi. > That's why I though this was something related to Http pool, as if the = connections were not expired. But if you say that you don't print these = messages, then I am a bit lost (because tomcat guys also say that they = don't print these messages, and me neither). Those messages looks a lot like JSSE debugging messages [1]. Do you know = if the System property "javax.net.debug" [2] is activated? [1] = http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadD= ebug.html [2] = http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSER= efGuide.html#Debug Best regards. On 2 December 2013 17:40, Joan Balaguer=C3=B3 = wrote: > Oleg, > > What I would mean was: > > 1. I send 8 https requests, then I have 8 connections in the pool. > > 2. I have a keep-alive of 20 seconds. Then, I wait 1 min. > > 3. After 1 min, all connections should be removed from the pool (due=20 > to my IdleConnectionHandler, that works fine) > > 4. Then, I shutdown tomcat. > > 5. Then, I expect no messages because there are no connections in = pool. But I see exactly 8 messages like this: >> > main, called close() >> > main, called closeInternal(true) >> > main, SEND TLSv1 ALERT: warning, description =3D close_notify = main, >> > WRITE: TLSv1 Alert, length =3D 18 main, called >> > closeSocket(selfInitiated) > > 6. If I repeat the process sending 5 requests, then I see 5 messages. = One per connection. > > > That's why I though this was something related to Http pool, as if the = connections were not expired. But if you say that you don't print these = messages, then I am a bit lost (because tomcat guys also say that they = don't print these messages, and me neither). > > Anyway, thanks, > > Joan. > > > -----Mensaje original----- > De: Oleg Kalnichevski [mailto:olegk@apache.org] Enviado el: lunes, 2=20 > de diciembre de 2013 16:12 > Para: HttpClient User Discussion > Asunto: Re: SSL connection > > On Mon, 2013-12-02 at 11:16 +0100, Joan Balaguer=C3=B3 wrote: >> Oleg, >> >> I close the connection pool by using = "this.objHttp.getConnectionManager().shutdown();" >> >> About the expired connections, I have an "idleConnectionsHandler" = that every 5 seconds removes expired connections and those that take = idle longer than 5 seconds: >> >> private ClientConnectionManager cm; >> (...) >> this.cm.closeExpiredConnections(); >> this.cm.closeIdleConnections(5, TimeUnit.SECONDS); >> (...) >> >> That's why I though that the pool should be empty after 1 minute. >> >> Regards, >> >> Joan. >> > > Nothing in the connection pool can survive a call to #shutdown(). Can = it be that you have some other processes connected to the same Tomcat = instance? > > Oleg > >> >> -----Mensaje original----- >> De: Oleg Kalnichevski [mailto:olegk@apache.org] Enviado el: lunes, 2=20 >> de diciembre de 2013 10:36 >> Para: HttpClient User Discussion >> Asunto: Re: SSL connection >> >> On Sat, 2013-11-30 at 23:52 +0100, Joan Balaguer=C3=B3 wrote: >> > Hello Oleg, >> > >> > Thanks for you help. Everything works fine now. >> > >> > Just one more question: when I shutdown Tomcat, I see this message = in catalina.out (ssl debug enabled): >> > >> > main, called close() >> > main, called closeInternal(true) >> > main, SEND TLSv1 ALERT: warning, description =3D close_notify = main, >> > WRITE: TLSv1 Alert, length =3D 18 main, called >> > closeSocket(selfInitiated) >> > >> > >> > If I send 8 https requests, this message appears 8 times when = shutting down tomcat. It seems that HttpClient is closing the http = connection pool (in fact, our app closes it). But I have a keep-alive of = 20 seconds, and I'm waiting more than 1 minute (from the last request = sent) before shutting down tomcat (so I understand that all connections = should be expired and removed from the pool). >> > >> > I suppose I'm missing something. Could you clarify me this point, = please? >> > >> > Thanks, >> > >> > Joan. >> > >> >> Joan >> >> I do not know SSL protocol that intimately, but it looks like this = message basically means that the server had to initiate connection = shutdown and notify the client. I do not think there is anything wrong = with that. >> >> Please note that expired connections in the client connection pool do = not get evicted automatically if the pool is inactive. One needs to = explicitly call #closeExpired to make it happen. >> >> How exactly do you close the connection pool on the client side? >> >> Oleg >> >> > >> > -----Mensaje original----- >> > De: Oleg Kalnichevski [mailto:oleg@ok2consulting.com] Enviado el: >> > jueves, 28 de noviembre de 2013 22:12 >> > Para: HttpClient User Discussion >> > Asunto: Re: SSL connection >> > >> > On Thu, 2013-11-28 at 20:11 +0100, Joan Balaguer=C3=B3 wrote: >> > > Hello Oleg, >> > > >> > > Thanks. I've been seeing some HttpClient samples. Some of them = set the trustStore/keyStore directly to the SSLSocketFactory. >> > >> > SSLSocketFactory constructors internally create an SSLContext = instance and initialize it with the trust / key material passed as = parameters. >> > >> > > And others create an SSLContext with them and then set this = SSLContext to the SSLSocketFactory. Any advantage from one respect to = the other? >> > > >> > >> > No, not really. Simply a matter of convenience. >> > >> > > Furthermore, when using SSLContext we need to create an instance = using the secure socket protocol. Is there any way to accept all secure = protocols? >> > > >> > >> > I am not sure what you mean by that. Exactly wha >> > >> > > Thanks, >> > > >> > > Joan. >> > > >> > > -----Mensaje original----- >> > > De: Oleg Kalnichevski [mailto:olegk@apache.org] Enviado el: >> > > jueves, >> > > 28 de noviembre de 2013 10:24 >> > > Para: HttpClient User Discussion >> > > Asunto: Re: SSL connection >> > > >> > > On Wed, 2013-11-27 at 19:24 +0100, Joan Balaguer=C3=B3 wrote: >> > > > Hello, >> > > > >> > > > >> > > > >> > > > I have an application (servlet running on tomcat) that must=20 >> > > > send a https request to a server that requires client = authentication. >> > > > >> > > > >> > > > >> > > > Tomcat has correctly installed the truststore and keystore. But = >> > > > I understand that when our app sends the https request, I have=20 >> > > > to attach the client authentication required by the server. >> > > > >> > > > >> > > > >> > > > Can anyone address to any doc where I can see how to do this? >> > > > >> > > > >> > > > >> > > > Thanks, >> > > > >> > > > >> > > > >> > > > J. >> > > > >> > > >> > > There is enough good material on SSL fundamentals on the web. = Just google it out. >> > > >> > > As far as HC APIs are concerned SSLContextBuilder should help you = set up the correct SSL context for your application. Most likely you = will need to load the private key and add it to the context using this = method [1]. >> > > >> > > Oleg >> > > >> > > [1] >> > > http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apido >> > > c >> > > s/ >> > > or >> > > g/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28j >> > > a >> > > va >> > > .s >> > > ecurity.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKey >> > > S >> > > tr >> > > at >> > > egy%29 >> > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > >> > > >> > > >> > > ----------------------------------------------------------------- >> > > - >> > > -- >> > > - To unsubscribe, e-mail: >> > > httpclient-users-unsubscribe@hc.apache.org >> > > For additional commands, e-mail: >> > > httpclient-users-help@hc.apache.org >> > > >> > > >> > > >> > > ----------------------------------------------------------------- >> > > - >> > > -- >> > > - To unsubscribe, e-mail: >> > > httpclient-users-unsubscribe@hc.apache.org >> > > For additional commands, e-mail: >> > > httpclient-users-help@hc.apache.org >> > > >> > >> > >> > >> > ------------------------------------------------------------------- >> > - >> > - To unsubscribe, e-mail:=20 >> > httpclient-users-unsubscribe@hc.apache.org >> > For additional commands, e-mail:=20 >> > httpclient-users-help@hc.apache.org >> > >> > >> > >> > ------------------------------------------------------------------- >> > - >> > - To unsubscribe, e-mail:=20 >> > httpclient-users-unsubscribe@hc.apache.org >> > For additional commands, e-mail:=20 >> > httpclient-users-help@hc.apache.org >> > >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org >> For additional commands, e-mail: httpclient-users-help@hc.apache.org >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org >> For additional commands, e-mail: httpclient-users-help@hc.apache.org >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > For additional commands, e-mail: httpclient-users-help@hc.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > For additional commands, e-mail: httpclient-users-help@hc.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org For additional commands, e-mail: httpclient-users-help@hc.apache.org