Laurent, I did some additional tests. With the java.net.Socket.getSendBufferSize method call commented out, HttpClient works with IBMJSSE 1.0 without a hitch. However, I think you should try to get IBM to look at the problem. To me this clearly looks like a bug in their implementation of JSSE.
Oleg -----Original Message----- From: Laurent Garcia [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 10:07 To: Commons HttpClient Project Subject: Re: IBMJSSE implementation issue Oleg, Thank you for your additional research, if I enable the log I have : DEBUG org.apache.commons.httpclient.HttpClient - Java version: 1.3.1 DEBUG org.apache.commons.httpclient.HttpClient - Java vendor: IBM Corporation DEBUG org.apache.commons.httpclient.HttpClient - Java class path: C:\Laurent\wsad\workspace\Laurent Test;C:\Laurent\wsad\lib\commons-httpclient-2.0-rc1.jar;C:\Laurent\wsad\work space\Toolbox;C:\Program Files\IBM\WebSphere Studio\eclipse\plugins\org.apache.xerces_4.0.7\xercesImpl.jar;C:\Program Files\IBM\WebSphere Studio\runtimes\aes_v4_jars\lib\xerces.jar;C:\Program Files\IBM\WebSphere Studio\runtimes\base_v5\java\jre\lib\ext\activation.jar;C:\Laurent\wsad\lib\ jakarta-regexp-1.2.jar;C:\Laurent\wsad\lib\jce1_2_2.jar;C:\Laurent\wsad\lib\ junit.jar;C:\Laurent\wsad\lib\local_policy.jar;C:\Laurent\wsad\lib\sunjce_pr ovider.jar;C:\Laurent\wsad\lib\US_export_policy.jar;C:\Laurent\wsad\lib\jdbc 2_0-stdext.jar;C:\Laurent\wsad\lib\struts.jar;C:\Laurent\wsad\lib\commons-co dec-1.1.jar;C:\Program Files\IBM\WebSphere Studio\runtimes\base_v5\java\jre\lib\ext\mail.jar;C:\Laurent\wsad\lib\log4j- 1.2.8.jar;C:\Laurent\wsad\lib\commons-logging.jar;C:\Laurent\wsad\lib\jcert. jar;C:\Laurent\wsad\lib\jnet.jar;C:\Laurent\wsad\lib\jsse.jar;C:\Laurent\wsa d\lib\commons-httpclient.jar DEBUG org.apache.commons.httpclient.HttpClient - Operating system name: Windows 2000 DEBUG org.apache.commons.httpclient.HttpClient - Operating system architecture: x86 DEBUG org.apache.commons.httpclient.HttpClient - Operating system version: 5.0 DEBUG org.apache.commons.httpclient.HttpClient - SUN 1.2: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore) DEBUG org.apache.commons.httpclient.HttpClient - IBMJCE 1.2: IBMJCE Provider implements the following: HMAC-SHA1, MD2, MD5, MARS, SHA, MD2withRSA, MD5withRSA, SHA1withRSA, RSA, SHA1withDSA, RC2, RC4, Seal)implements the following: Signature algorithms : SHA1withDSA, SHA1withRSA, MD5withRSA, MD2withRSA Cipher algorithms : Blowfish, AES, DES, TripleDES, PBEWithMD2AndDES, PBEWithMD2AndTripleDES, PBEWithMD2AndRC2, PBEWithMD5AndDES, PBEWithMD5AndTripleDES, PBEWithMD5AndRC2, PBEWithSHA1AndDES PBEWithSHA1AndTripleDES, PBEWithSHA1AndRC2 PBEWithSHAAnd40BitRC2, PBEWithSHAAnd128BitRC2 PBEWithSHAAnd40BitRC4, PBEWithSHAAnd128BitRC4 PBEWithSHAAnd2KeyTripleDES, PBEWithSHAAnd3KeyTripleDES Mars, RC2, RC4, RSA, Seal Message authentication code (MAC) : HmacSHA1, HmacMD2, HmacMD5 Key agreement algorithm : DiffieHellman Key (pair) generator : Blowfish, DiffieHellman, DSA, AES, DES, TripleDES, HmacMD5, HmacSHA1, Mars, RC2, RC4, RSA, Seal Message digest : MD2, MD5, SHA-1 Algorithm parameter generator : DiffieHellman, DSA Algorithm parameter : Blowfish, DiffieHellman, AES, DES, TripleDES, DSA, Mars, PBEwithMD5AndDES, RC2 Key factory : DiffieHellman, DSA, RSA Secret key factory : Blowfish, AES, DES, TripleDES, Mars, RC2, RC4, Seal PKCS5Key, PBKDF1 and PBKDF2(PKCS5Derived Key). Certificate : X.509 Secure random : IBMSecureRandom Key store : JCEKS, PKCS12KS (PKCS12), JKS DEBUG org.apache.commons.httpclient.HttpClient - IBMJSSE 1.4: IBM JSSE provider DEBUG org.apache.commons.httpclient.HttpClient - IBMCertPath 1.0: IBMCertPath Provider implements the following: CertificateFactory : X.509 CertPathValidator : PKIX CertStore : Collection, LDAP CertPathBuilder : PKIX DEBUG org.apache.commons.httpclient.HttpClient - IBMPKCS11 1.2: IBMPKCS11 Provider implements the following: MD2withRSA, MD5withRSA, SHA1withRSA, RSA, SHA1withDSA)implements the following: Signature algorithms : SHA1withDSA, SHA1withRSA, MD5withRSA, MD2withRSA Key (pair) generator : DSA, RSA Algorithm parameter generator : DSA Algorithm parameter : DSA Certificate : X.509 Secure random : IBMSecureRandom Key store : PKCS11 (PKCS11KS) DEBUG org.apache.commons.httpclient.methods.GetMethod - enter GetMethod(String) DEBUG org.apache.commons.httpclient.HttpClient - enter HttpClient.executeMethod(HttpMethod) DEBUG org.apache.commons.httpclient.HttpClient - enter HttpClient.executeMethod(HostConfiguration,HttpMethod,HttpState) DEBUG org.apache.commons.httpclient.HttpConnection - HttpConnection.setSoTimeout(0) DEBUG org.apache.commons.httpclient.HttpConnection - enter HttpConnection.open() DEBUG org.apache.commons.httpclient.HttpConnection - enter HttpConnection.closeSockedAndStreams() DEBUG org.apache.commons.httpclient.HttpConnection - enter HttpConnection.releaseConnection() java.net.SocketException: Socket closed at java.net.PlainSocketImpl.socketGetOption(Native Method) at java.net.PlainSocketImpl.getOption(PlainSocketImpl.java:214) at java.net.Socket.getSendBufferSize(Socket.java:548) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:700) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:625) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:500) at com.in.laurent.HttpClientTest.main(HttpClientTest.java:62) Exception in thread "main" So the IBM implementation is IBMJSSE 1.4 and I will try to investigate with IBM to solve this issue Laurent ----- Original Message ----- From: "Kalnichevski, Oleg" <[EMAIL PROTECTED]> To: "Commons HttpClient Project" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, October 06, 2003 6:21 PM Subject: RE: IBMJSSE implementation issue Laurent, I did some additional research and what I have found seems to only reinforce my previous assumptions 1.) The problem is perfectly reproducible with IBM JDK and IBM JSSE. There's no need for WAS. [DEBUG] HttpClient - -Java version: 1.3.0 [DEBUG] HttpClient - -Java vendor: IBM Corporation <snip> [DEBUG] HttpClient - -Operating system name: Windows 2000 [DEBUG] HttpClient - -Operating system architecture: x86 [DEBUG] HttpClient - -Operating system version: 5.0 [DEBUG] HttpClient - -SUN 1.2: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore) [DEBUG] HttpClient - -JSSE 1.0: IBM JSSE provider [DEBUG] HttpClient - -IBMJCE 1.2: IBMJCE Provider implements the following: HMAC-SHA1, MD2, MD5, MARS, SHA, MD2withRSA, <snip> [DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0) java.net.SocketException: Socket closed at java.net.PlainSocketImpl.socketGetOption(Native Method) at java.net.PlainSocketImpl.getOption(PlainSocketImpl.java:198) at java.net.Socket.getSendBufferSize(Socket.java:526) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:700) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:659) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:527) at org.apache.commons.httpclient.Test.main(Test.java:17) Exception in thread "main" 2.) Plain socket test worked fine with the same setup. 3.) I think I know why the problem only manifests itself with newer HttpClient versions As you can see from the log, something goes wrong when trying to determine send buffer size of the underlying socket implementation. This clearly looks like a bug in the IBM JSSE. Invocation of java.net.Socket.getSendBufferSize is a fairly new addition, which was not there in late February. 4.) Please make sure that version of IBM JSSE that you have is indeed 1.0.3 or newer. HttpClient has been reported to fail with the similar exception when run with IBM JSSE 1.0.2 or below. IBM JSSE 1.0.3 appears to have fixed the aforementioned problem with the send buffer size. Execute your test application with the debug log enabled and watch for a similar statement [DEBUG] HttpClient - -JSSE 1.0: IBM JSSE provider HTH Oleg -----Original Message----- From: Laurent Garcia [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 14:19 To: Commons HttpClient Project Subject: Re: IBMJSSE implementation issue Oleg, I try to disabling stale connection and I have still Socket closed. I don't want to take your time but you can do a very simple, test this code in a servlet with WSAD 5.0 (with the default JSSE) HttpClient httpclient = new HttpClient(); httpget = new GetMethod("https://www.verisign.com/"); httpclient.executeMethod(httpget); I assume that I am not the only people that use http-client in a servlet in WSAD-WAS 5.0 environment. Laurent ----- Original Message ----- From: "Kalnichevski, Oleg" <[EMAIL PROTECTED]> To: "Commons HttpClient Project" <[EMAIL PROTECTED]> Sent: Monday, October 06, 2003 11:54 AM Subject: RE: IBMJSSE implementation issue Laurent, HttpClient relies on underlying JSSE library to establish SSL connections. If there's something wrong with SSL, in the overwhelming majority of cases it has nothing to do with HttpClient as such. Usually SSL problems are caused by misconfigured JSSE stack. Please refer to the troubleshooting section of our SSL guide and see if the plain SSL socket test works for you http://jakarta.apache.org/commons/httpclient/sslguide.html Oleg -----Original Message----- From: Laurent Garcia [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:44 To: Commons HttpClient Project Subject: Re: IBMJSSE implementation issue Oleg, Thank you for your (quick) response, I edit the Manifest file (I made a copy below) and it seems that the version is 1.03 Manifest-Version: 1.0 Created-By: Ant 1.4.1 Name: com/ibm/jsse/ com/ibm/net/ssl/www/ com/ibm/net/ssl/ com/ibm/net/ss l/internal/www/protocol/https/ com/ibm/net/ssl/www/protocol/http/ com/i bm/net/ssl/www/protocol/https/ com/ibm/pkcs11/ com/ibm/pkcs11/nat/ com/ ibm/security/cert/ com/ibm/sslight/ com/ibm/sslite/ javax/net/ javax/ne t/ssl/ javax/security/cert/ IBM-Reusable-JVM-Compatible: True Build-Level: -20021008 Implementation-Vendor: IBM Corporation Implementation-Title: JSSE Package Implementation-Version: 1.0.3 Laurent ----- Original Message ----- From: "Kalnichevski, Oleg" <[EMAIL PROTECTED]> To: "Commons HttpClient Project" <[EMAIL PROTECTED]> Sent: Monday, October 06, 2003 11:34 AM Subject: RE: IBMJSSE implementation issue Laurent, Make sure that the version of IBMJSSE library WSAD is using is 1.0.3. Oleg -----Original Message----- From: Laurent Garcia [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:30 To: [EMAIL PROTECTED] Subject: IBMJSSE implementation issue Hi, I was working with an old commons-httpclient lib (18/2/2003) that work correctly for https connexion with both SUN adn IBM jsse implemention. But I just replaced my commons-httpclient by commons-httpclient-2.0-rc1.jar and now it is still working with SUN but I have a systematic socked closed error If I try this code in a sevlet (with WSAD 5.0) : System.out.println("HttpsTestServlet starting test..."); GetMethod httpget; try { HttpClient httpclient = new HttpClient(); httpget = new GetMethod("https://www.verisign.com/"); httpclient.executeMethod(httpget); System.out.println(httpget.getStatusLine().toString()); } catch (Exception e) { System.out.println(e); } System.out.println("HttpsTestServlet test completed..."); java.net.SocketException: Socket closed at java.net.PlainSocketImpl.socketGetOption(Native Method) at java.net.PlainSocketImpl.getOption(PlainSocketImpl.java:214) at java.net.Socket.getSendBufferSize(Socket.java:548) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:700) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:625) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:500) is it a bug ? or I did something wrong ? Thank you Laurent --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]