Oleg,

I close the connection pool by using  
"this.objHttp.getConnectionManager().shutdown();"

About the expired connections, I have an "idleConnectionsHandler" that every 5 
seconds removes expired connections and those that take idle longer than 5 
seconds:

   private ClientConnectionManager cm;
   (...)
   this.cm.closeExpiredConnections();
   this.cm.closeIdleConnections(5, TimeUnit.SECONDS);
  (...)

That's why I though that the pool should be empty after 1 minute.

Regards,

Joan.


-----Mensaje original-----
De: Oleg Kalnichevski [mailto:ol...@apache.org] 
Enviado el: lunes, 2 de diciembre de 2013 10:36
Para: HttpClient User Discussion
Asunto: Re: SSL connection

On Sat, 2013-11-30 at 23:52 +0100, Joan Balagueró wrote:
> Hello Oleg,
> 
> Thanks for you help. Everything works fine now.
> 
> Just one more question: when I shutdown Tomcat, I see this message in 
> catalina.out (ssl debug enabled):
> 
> main, called close()
> main, called closeInternal(true)
> main, SEND TLSv1 ALERT:  warning, description = close_notify main, 
> WRITE: TLSv1 Alert, length = 18 main, called 
> closeSocket(selfInitiated)
> 
> 
> If I send 8 https requests, this message appears 8 times when shutting down 
> tomcat. It seems that HttpClient is closing the http connection pool (in 
> fact, our app closes it). But I have a keep-alive of 20 seconds, and I'm 
> waiting more than 1 minute (from the last request sent) before shutting down 
> tomcat (so I understand that all connections should be expired and removed 
> from the pool).
> 
> I suppose I'm missing something. Could you clarify me this point, please?
> 
> Thanks,
> 
> Joan.
> 

Joan

I do not know SSL protocol that intimately, but it looks like this message 
basically means that the server had to initiate connection shutdown and notify 
the client. I do not think there is anything wrong with that. 

Please note that expired connections in the client connection pool do not get 
evicted automatically if the pool is inactive. One needs to explicitly call 
#closeExpired to make it happen.

How exactly do you close the connection pool on the client side?

Oleg 

> 
> -----Mensaje original-----
> De: Oleg Kalnichevski [mailto:o...@ok2consulting.com] Enviado el: 
> jueves, 28 de noviembre de 2013 22:12
> Para: HttpClient User Discussion
> Asunto: Re: SSL connection
> 
> On Thu, 2013-11-28 at 20:11 +0100, Joan Balagueró wrote:
> > Hello Oleg,
> > 
> > Thanks. I've been seeing some HttpClient samples. Some of them set the 
> > trustStore/keyStore directly to the SSLSocketFactory.
> 
> SSLSocketFactory constructors internally create an SSLContext instance and 
> initialize it with the trust / key material passed as parameters. 
> 
> >  And others create an SSLContext with them and then set this SSLContext to 
> > the SSLSocketFactory. Any advantage from one respect to the other?
> > 
> 
> No, not really. Simply a matter of convenience.
> 
> > Furthermore, when using SSLContext we need to create an instance using the 
> > secure socket protocol. Is there any way to accept all secure protocols?
> > 
> 
> I am not sure what you mean by that. Exactly wha
> 
> > Thanks,
> > 
> > Joan.
> > 
> > -----Mensaje original-----
> > De: Oleg Kalnichevski [mailto:ol...@apache.org] Enviado el: jueves, 
> > 28 de noviembre de 2013 10:24
> > Para: HttpClient User Discussion
> > Asunto: Re: SSL connection
> > 
> > On Wed, 2013-11-27 at 19:24 +0100, Joan Balagueró wrote:
> > > Hello,
> > > 
> > >  
> > > 
> > > I have an application (servlet running on tomcat) that must send a 
> > > https request to a server that requires client authentication.
> > > 
> > >  
> > > 
> > > Tomcat has correctly installed the truststore and keystore. But I 
> > > understand that when our app sends the https request, I have to 
> > > attach the client authentication required by the server.
> > > 
> > >  
> > > 
> > > Can anyone address to any doc where I can see how to do this?
> > > 
> > >  
> > > 
> > > Thanks,
> > > 
> > >  
> > > 
> > > J. 
> > > 
> > 
> > There is enough good material on SSL fundamentals on the web. Just google 
> > it out. 
> > 
> > As far as HC APIs are concerned SSLContextBuilder should help you set up 
> > the correct SSL context for your application. Most likely you will need to 
> > load the private key and add it to the context using this method [1].
> > 
> > Oleg
> > 
> > [1]
> > http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/apidocs/
> > or 
> > g/apache/http/conn/ssl/SSLContextBuilder.html#loadKeyMaterial%28java
> > .s 
> > ecurity.KeyStore,%20char[],%20org.apache.http.conn.ssl.PrivateKeyStr
> > at
> > egy%29
> > 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> > For additional commands, e-mail: httpclient-users-h...@hc.apache.org
> > 
> > 
> > 
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> > For additional commands, e-mail: httpclient-users-h...@hc.apache.org
> > 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
> For additional commands, e-mail: httpclient-users-h...@hc.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Reply via email to