You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Charbonneau, Pierre-Hugues" <pi...@cgi.com> on 2006/11/10 20:38:51 UTC

Axis 1.x JSSESocketFactory missing Socket timeout for connect() and initial SSL handshake

Hi,

I did review the data collected following an outage on a platform I'm working on and made the following findings for HTTPS / SSL requests. We are using Axis 1.2 but issue exist in Axis 1.4 as well.

-          The timeout setup with Axis stub is only effective during a transaction but not during the actual physical connection e.g Socket.connect() operation. 

-          The secure implementation of Axis (SSL) has limitations regarding timeout and Socket creation. As mentioned, the timeout is effective during HTTPS requests only but not for the Socket creation & initial SSL handshake. Find below the key technical facts & findings after code review of the open source Apache Axis API 1.x

1)       Axis is of course using a different Socket factory for secure and non secure Sockets. We are  using HTTPS / SSL so the JSSE Factory is used instead of the default one. The timeout problem we are discussing right now is isolated to the JSSE / SSL Socket factory only.
2)       The Axis JSSE Factory implementation does not implement any timeout during the Socket creation / connection as well as initial SSL handshake. 
4)       The problem we are discussing right now is isolated to HTTPS / SSL only. Axis for HTTP does not have such lack of timeout for the Socket.connect().


Here is the flow:
org.apache.axis.transport.http.HTTPSender


1) First HTTPSender is called for HTTPS request:
2) getSocket() method is called to create new SSL socket
3) We now obtain the Factory >> SocketFactory factory = SocketFactoryFactory.getFactory(protocol, options); // Which is JSSESocketFactory in our case
4) Now we obtain a new Socket >> Socket sock = factory.create(host, port, otherHeaders, useFullURL);
5) Then finally we setup the SO timeout within HTTP Sender >> if(timeout > 0) sock.setSoTimeout(timeout);

The problem is with step 4 and 5. As you can see, we setup the timeout on the Socket after the Socket creation. That means such timeout is not passed or even referenced within JSSESocketFactory. So this timeout will only help read() write() operation after initial SSL Socket creation.


Now, find below the JSSE Facory code missing the timeout:

org.apache.axis.components.net.JSSESocketFactory.create()
.............
sslFactory.createSocket(host, port);
.................

As you can see, the JSSE SSL Socket Factory is not using the "disconnected" approach of JDK 1.4 for creating socket. That means no timeout value is passed when attempt an initial TCP / IP connection between Server A and Server B.

Timeout should be added like the DefaulFactory used for non secure HTTP request.

org.apache.axis.components.net.DefaultSocketFactory.create()
.........
sock = create(host, port, timeout);
...........
Which is using passing such timeout to JDK 1.4 connect() method:

Object address = inetConstructor.newInstance(new Object[] {
                host, new Integer(port)
            });
            sock = (Socket)socketConstructor.newInstance(new Object[0]);
            connect.invoke(sock, new Object[] {
                address, new Integer(timeout)
            });


Please let us know is there is any existing patch for this issue.

Thanks.
Pierre-Hugues

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org

Re: Axis 1.x JSSESocketFactory missing Socket timeout for connect() and initial SSL handshake

Posted by Davanum Srinivas <da...@gmail.com>.

Please try the CommonsHTTPSender. See wiki for more info.

-- dims

On 11/10/06, Charbonneau, Pierre-Hugues
<pi...@cgi.com> wrote:
> Hi,
>
> I did review the data collected following an outage on a platform I'm working on and made the following findings for HTTPS / SSL requests. We are using Axis 1.2 but issue exist in Axis 1.4 as well.
>
> - The timeout setup with Axis stub is only effective during a transaction but not during the actual physical connection e.g Socket.connect() operation.
>
> - The secure implementation of Axis (SSL) has limitations regarding timeout and Socket creation. As mentioned, the timeout is effective during HTTPS requests only but not for the Socket creation & initial SSL handshake. Find below the key technical facts & findings after code review of the open source Apache Axis API 1.x
>
> 1) Axis is of course using a different Socket factory for secure and non secure Sockets. We are using HTTPS / SSL so the JSSE Factory is used instead of the default one. The timeout problem we are discussing right now is isolated to the JSSE / SSL Socket factory only.
> 2) The Axis JSSE Factory implementation does not implement any timeout during the Socket creation / connection as well as initial SSL handshake.
> 4) The problem we are discussing right now is isolated to HTTPS / SSL only. Axis for HTTP does not have such lack of timeout for the Socket.connect().
>
>
> Here is the flow:
> org.apache.axis.transport.http.HTTPSender
>
>
> 1) First HTTPSender is called for HTTPS request:
> 2) getSocket() method is called to create new SSL socket
> 3) We now obtain the Factory >> SocketFactory factory = SocketFactoryFactory.getFactory(protocol, options); // Which is JSSESocketFactory in our case
> 4) Now we obtain a new Socket >> Socket sock = factory.create(host, port, otherHeaders, useFullURL);
> 5) Then finally we setup the SO timeout within HTTP Sender >> if(timeout > 0) sock.setSoTimeout(timeout);
>
> The problem is with step 4 and 5. As you can see, we setup the timeout on the Socket after the Socket creation. That means such timeout is not passed or even referenced within JSSESocketFactory. So this timeout will only help read() write() operation after initial SSL Socket creation.
>
>
> Now, find below the JSSE Facory code missing the timeout:
>
> org.apache.axis.components.net.JSSESocketFactory.create()
> .............
> sslFactory.createSocket(host, port);
> .................
>
> As you can see, the JSSE SSL Socket Factory is not using the "disconnected" approach of JDK 1.4 for creating socket. That means no timeout value is passed when attempt an initial TCP / IP connection between Server A and Server B.
>
> Timeout should be added like the DefaulFactory used for non secure HTTP request.
>
> org.apache.axis.components.net.DefaultSocketFactory.create()
> .........
> sock = create(host, port, timeout);
> ...........
> Which is using passing such timeout to JDK 1.4 connect() method:
>
> Object address = inetConstructor.newInstance(new Object[] {
>  host, new Integer(port)
>  });
>  sock = (Socket)socketConstructor.newInstance(new Object[0]);
>  connect.invoke(sock, new Object[] {
>  address, new Integer(timeout)
>  });
>
>
> Please let us know is there is any existing patch for this issue.
>
> Thanks.
> Pierre-Hugues
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>


-- 
Davanum Srinivas : http://www.wso2.net (Oxygen for Web Service Developers)

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org