RE: SSL - 100% CPU
Title: RE: SSL - 100% CPU We got 2 sites running SSL at this moment. Didnt have any problems setting it up. WR Magnus Rydin Cypoint Systems Innovation AB Could somebody that has a working SSL configuration confirm that it is possible to make it work. /Thanks, Mattias
Re: SSL - 100% CPU
Daniel, can you give us (well, me) a HOwto on this? On Thu, 6 Jul 2000, Daniel Stahl wrote: Mattias Arbin writes: Hi, I now use 1.1.9 and get: E:\java\orionjava -jar orion.jar Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. Orion/1.1.9 initialized What could be bad with my certificate? I have done exactly what is told in the documentation. (See my previous post) How do I know which "SSL cipher suites" that "are enabled"? How does Orion know which certificate in the keystore to use? When I have several entries in the keystore, I get: Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key I feel pretty frustrated. SSL is a must in my case and right now these problems makes it impossible to use Orion in our project. Too bad, because Orion seems very nice. Could somebody that has a working SSL configuration confirm that it is possible to make it work. The trick is not to use keytool. We have just tested to make our own com.evermind.ssl.SSLServerSocketFactory which rely on the pkcs#12 part of iaik jce. We then feed jsse with pkcs#12 files instead of a keystore file. The initial test works great and because we supply a initial seed for JSSE we get a great performance hit. Other then that it is pure JSSE. Try to make sure that you are using jsse1.0.1. The only thing we have not managed to figure out is how to make orion use our SSLServerSocketFactory implementation. Because of classloader problems you have to modify the orion.jar file and add our class. The only problem with this solution is that iaik is a commercial software. We have not been able to find a free implementation of pkcs#12. Best Regards /Daniel Stahl --- Joseph B. Ottinger [EMAIL PROTECTED] http://cupid.suninternet.com/~joeo HOMES.COM Developer
Re: SSL - 100% CPU
Mattias Arbin writes: Hi, I now use 1.1.9 and get: E:\java\orionjava -jar orion.jar Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. Orion/1.1.9 initialized What could be bad with my certificate? I have done exactly what is told in the documentation. (See my previous post) How do I know which "SSL cipher suites" that "are enabled"? How does Orion know which certificate in the keystore to use? When I have several entries in the keystore, I get: Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key I feel pretty frustrated. SSL is a must in my case and right now these problems makes it impossible to use Orion in our project. Too bad, because Orion seems very nice. Could somebody that has a working SSL configuration confirm that it is possible to make it work. The trick is not to use keytool. We have just tested to make our own com.evermind.ssl.SSLServerSocketFactory which rely on the pkcs#12 part of iaik jce. We then feed jsse with pkcs#12 files instead of a keystore file. The initial test works great and because we supply a initial seed for JSSE we get a great performance hit. Other then that it is pure JSSE. Try to make sure that you are using jsse1.0.1. The only thing we have not managed to figure out is how to make orion use our SSLServerSocketFactory implementation. Because of classloader problems you have to modify the orion.jar file and add our class. The only problem with this solution is that iaik is a commercial software. We have not been able to find a free implementation of pkcs#12. Best Regards /Daniel Stahl
Re: SSL - 100% CPU
Hi Mattias, Have you found any solution to the SSL problem? I have tried for days now without success. me too :( i've read your posting and i tried your steps without success. step1.bat:keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 how did you do that? my keytool does not accept this parameters. i have to remove -alias, -storepass, -keypass and -validity from the commandline and then it works!?! step2.bat: i got following error keytool error: java.lang.Exception: Failed to establish chain from reply after removing the initial keystore the import works!?! Output when running the scripts: same as yours. == https://my_ip_addr == SSL - 100% CPU :(( i tried with WinNT and Linux, jdk 1.2.2, 1.3 and IBM-jdk1.3 all the same result. perhaps anyone from the orion-team looks for this bug(?) this is one of the last "kock-out" points which must be cleared before we will purchase orion. bye klaus -- Klaus Thiele - Personal Informatik AG mailto:[EMAIL PROTECTED] "There's got to be more to life than compile-and-go."
Re: SSL - 100% CPU
Hello, Yes, we have found a bug related to the 100 % CPU thing. It seems that when a bad certificate was used, IOException's get thrown in the ServerSocket accept() call immediately, which is not the usual behaviour of a ServerSocket. We are now taking care of that problem in a nicer way, and hopefully you should not get that behaviour in 1.1.9 which is available. If you do, please let us know. Regards, Karl Avedal Klaus Thiele wrote: Hi Mattias, Have you found any solution to the SSL problem? I have tried for days now without success. me too :( i've read your posting and i tried your steps without success. step1.bat:keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 how did you do that? my keytool does not accept this parameters. i have to remove -alias, -storepass, -keypass and -validity from the commandline and then it works!?! step2.bat: i got following error keytool error: java.lang.Exception: Failed to establish chain from reply after removing the initial keystore the import works!?! Output when running the scripts: same as yours. == https://my_ip_addr == SSL - 100% CPU :(( i tried with WinNT and Linux, jdk 1.2.2, 1.3 and IBM-jdk1.3 all the same result. perhaps anyone from the orion-team looks for this bug(?) this is one of the last "kock-out" points which must be cleared before we will purchase orion. bye klaus -- Klaus Thiele - Personal Informatik AG mailto:[EMAIL PROTECTED] "There's got to be more to life than compile-and-go."
Re: SSL-problems (was SSL-100% CPU)
I noticed that there is a 1.1.9 version. Tried that. Now I get another message: E:\java\orionjava -jar orion.jar Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. Orion/1.1.9 initialized Seems like the new release changed something. It would be really great to have a comment from the Orion team about this. I also have a question: How does Orion know which of the certificates in the keystore to use? It seems like it gets confused if you have more than one entry in the keystore. /Mattias - Original Message - From: "Mattias Arbin" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Sent: Tuesday, July 04, 2000 10:14 AM Subject: SSL-problems (was SSL-100% CPU) I have tried to dig deeper into the SSL problem, while it is a major showstopper right now and a problem that has to be solved before I can use Orion in my project. I have made to bat files for the certificate generation to be able to play around a little faster: step1.bat: keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 keytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -storepass 123456 -keypass 654321 -keystore mykeystore rem Go to thawte and copy the contents of localhost.csr. start https://www.thawte.com/cgi/server/test.exe step2.bat rem Before running this, save the output from Thawte into localhost.cer keytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Output when running the scripts: E:\testjava -version java version "1.3.0" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C) Java HotSpot(TM) Server VM (build 2.0fcs-E, mixed mode) E:\teststep1 E:\testkeytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dna me "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 6543 21 -validity 360 E:\testkeytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -sto repass 123456 -keypass 654321 -keystore mykeystore E:\teststart https://www.thawte.com/cgi/server/test.exe E:\teststep2 E:\testkeytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Owner: CN=My Name, OU=MyCompany, O=MyCompany, C=SE Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FO R TESTING PURPOSES ONLY, C=ZA Serial number: 488d5a Valid from: Tue Jul 04 09:55:28 GMT+02:00 2000 until: Fri Aug 04 09:55:28 GMT+02 :00 2000 Certificate fingerprints: MD5: AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 SHA1: D1:98:C0:C7:DA:D5:DB:D5:D1:E3:C6:A1:39:A0:59:34:0A:8F:DC:99 Trust this certificate? [no]: yes Certificate was added to keystore E:\testkeystore -list -keystore mykeystore 'keystore' is not recognized as an internal or external command, operable program or batch file. E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 testalias, Tue Jul 04 09:51:48 GMT+02:00 2000, keyEntry, Certificate fingerprint (MD5): BE:ED:A9:00:04:5D:A6:F4:9A:92:40:25:0C:AB:9C:EC OK. Now I start Orion (I have tried it with 1.0, 1.1.4, 1.1.8 with the same result): E:\java\orionjava -jar orion.jar Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key Now to something interesting: I delete the key with the alias 'testalias': E:\testkeytool -delete -alias testalias -keystore mykeystore Enter keystore password: 123456 E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 Now I start Orion again: E:\java\orionjava -jar orion.jar Orion/1.1.8 initialized Orion initializes, but takes about 100% CPU and accessing https://localhost:443 fails. Does anybody have a clue? /Thanks, Mattias Arbin, Ctakt AB My secure-web-site.xml: ?xml version="1.0"? !DOCTYPE web-site PUBLIC "Orion Web-site" "http://www.orionserver.com/dtds/web-site.dtd" web-site host="[ALL]" secure="true" port="443" display-name="Default Orion WebSite" !-- The default web-app for this site, bound to the root -- ssl-config keystore="../../../test/mykeystore" keystore-password="12
Re: SSL - 100% CPU
Hi, I now use 1.1.9 and get: E:\java\orionjava -jar orion.jar Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. Orion/1.1.9 initialized What could be bad with my certificate? I have done exactly what is told in the documentation. (See my previous post) How do I know which "SSL cipher suites" that "are enabled"? How does Orion know which certificate in the keystore to use? When I have several entries in the keystore, I get: Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key I feel pretty frustrated. SSL is a must in my case and right now these problems makes it impossible to use Orion in our project. Too bad, because Orion seems very nice. Could somebody that has a working SSL configuration confirm that it is possible to make it work. /Thanks, Mattias - Original Message - From: "Karl Avedal" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Cc: "Orion-Interest" [EMAIL PROTECTED]; "Orion Bugs" [EMAIL PROTECTED] Sent: Wednesday, July 05, 2000 11:16 AM Subject: Re: SSL - 100% CPU Hello, Yes, we have found a bug related to the 100 % CPU thing. It seems that when a bad certificate was used, IOException's get thrown in the ServerSocket accept() call immediately, which is not the usual behaviour of a ServerSocket. We are now taking care of that problem in a nicer way, and hopefully you should not get that behaviour in 1.1.9 which is available. If you do, please let us know. Regards, Karl Avedal Klaus Thiele wrote: Hi Mattias, Have you found any solution to the SSL problem? I have tried for days now without success. me too :( i've read your posting and i tried your steps without success. step1.bat:keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 how did you do that? my keytool does not accept this parameters. i have to remove -alias, -storepass, -keypass and -validity from the commandline and then it works!?! step2.bat: i got following error keytool error: java.lang.Exception: Failed to establish chain from reply after removing the initial keystore the import works!?! Output when running the scripts: same as yours. == https://my_ip_addr == SSL - 100% CPU :(( i tried with WinNT and Linux, jdk 1.2.2, 1.3 and IBM-jdk1.3 all the same result. perhaps anyone from the orion-team looks for this bug(?) this is one of the last "kock-out" points which must be cleared before we will purchase orion. bye klaus -- Klaus Thiele - Personal Informatik AG mailto:[EMAIL PROTECTED] "There's got to be more to life than compile-and-go."
SSL-problems (was SSL-100% CPU)
I have tried to dig deeper into the SSL problem, while it is a major showstopper right now and a problem that has to be solved before I can use Orion in my project. I have made to bat files for the certificate generation to be able to play around a little faster: step1.bat: keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 keytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -storepass 123456 -keypass 654321 -keystore mykeystore rem Go to thawte and copy the contents of localhost.csr. start https://www.thawte.com/cgi/server/test.exe step2.bat rem Before running this, save the output from Thawte into localhost.cer keytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Output when running the scripts: E:\testjava -version java version "1.3.0" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C) Java HotSpot(TM) Server VM (build 2.0fcs-E, mixed mode) E:\teststep1 E:\testkeytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dna me "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 6543 21 -validity 360 E:\testkeytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -sto repass 123456 -keypass 654321 -keystore mykeystore E:\teststart https://www.thawte.com/cgi/server/test.exe E:\teststep2 E:\testkeytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Owner: CN=My Name, OU=MyCompany, O=MyCompany, C=SE Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FO R TESTING PURPOSES ONLY, C=ZA Serial number: 488d5a Valid from: Tue Jul 04 09:55:28 GMT+02:00 2000 until: Fri Aug 04 09:55:28 GMT+02 :00 2000 Certificate fingerprints: MD5: AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 SHA1: D1:98:C0:C7:DA:D5:DB:D5:D1:E3:C6:A1:39:A0:59:34:0A:8F:DC:99 Trust this certificate? [no]: yes Certificate was added to keystore E:\testkeystore -list -keystore mykeystore 'keystore' is not recognized as an internal or external command, operable program or batch file. E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 testalias, Tue Jul 04 09:51:48 GMT+02:00 2000, keyEntry, Certificate fingerprint (MD5): BE:ED:A9:00:04:5D:A6:F4:9A:92:40:25:0C:AB:9C:EC OK. Now I start Orion (I have tried it with 1.0, 1.1.4, 1.1.8 with the same result): E:\java\orionjava -jar orion.jar Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key Now to something interesting: I delete the key with the alias 'testalias': E:\testkeytool -delete -alias testalias -keystore mykeystore Enter keystore password: 123456 E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 Now I start Orion again: E:\java\orionjava -jar orion.jar Orion/1.1.8 initialized Orion initializes, but takes about 100% CPU and accessing https://localhost:443 fails. Does anybody have a clue? /Thanks, Mattias Arbin, Ctakt AB My secure-web-site.xml: ?xml version="1.0"? !DOCTYPE web-site PUBLIC "Orion Web-site" "http://www.orionserver.com/dtds/web-site.dtd" web-site host="[ALL]" secure="true" port="443" display-name="Default Orion WebSite" !-- The default web-app for this site, bound to the root -- ssl-config keystore="../../../test/mykeystore" keystore-password="123456" / default-web-app application="default" name="defaultWebApp" / !-- Uncomment this to activate the news app -- !-- web-app application="news" name="news-web" root="/news" / -- !-- Access Log, where requests are logged to -- access-log path="../log/default-web-access.log" / /web-site My server.xml: ?xml version="1.0"? !DOCTYPE application-server PUBLIC "Orion Application Server Config" "http://www.orionserver.com/dtds/application-server.dtd" application-server application-directory="../applications" deployment-directory="../application-deployments" rmi-config path="./rmi.xml" / !-- JMS-server config link, uncomment to activate the JMS service -- !-- jms-config path="./jms.xml" / -- principals path="./principals.xml" / log file path="../log/server.log" / /log global-application name="default" path="application.xml" / global-web-app-config path="global-web-application.xml" / web-site path="./default-web-site.xml" / web-site path="./secure-web-site.xml" / !-- Compiler, activate
Re: SSL - 100% CPU
I have some experience with SSL programming (with IsaSilk a fantastic package and free for development puporse; and very cheap for commercial, just like Orion ;-) I had the same pb when intializing, very very long and 100%CPU and this was due to the random generator!!! to solve this pb, I just provided a seed for the random generator I don't know if this will help but it helps me a lot ;-) I used IsaSilk in stand alone SSL programming. Does anybody had experience with Orion + IsaSilk, is it possible ? IsaSilk: http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/isasilk.htm -Message d'origine- De : Klaus Thiele [EMAIL PROTECTED] À : Orion-Interest [EMAIL PROTECTED] Date : vendredi 30 juin 2000 00:12 Objet : Re: SSL - 100% CPU On Don, 29 Jun 2000, you wrote: At last my generation of the server certificate worked. Unfortunately, when I start Orion with SSL turned on, the java process takes all the CPU time. Seems like Orion gets stuck in an endless loop. I have tried this on both Orion 1.0 and 1.1.4 I followed the instruction for setting up a secure site in the dokumentation. Has anybody experienced something similar? i have exactley the _same_ experiences! the faq for setting up an ssl-server is not easy to understand! - where/how to get an RSA-provider(?) for the jdk? - i generate a certificate with openssl - https://www.thawte.com/cgi/server/test.exe - keytool -import = 100% cpu klaus -- Klaus Thiele - Personal Informatik AG mailto:[EMAIL PROTECTED] "There's got to be more to life than compile-and-go."
Re: SSL - 100% CPU
I had the same pb when intializing, very very long and 100%CPU and this was due to the random generator!!! to solve this pb, I just provided a seed for the random generator I don't know if this will help but it helps me a lot ;-) Sorry, but how do you do that? /Mattias
SSL - 100% CPU
At last my generation of the server certificate worked. Unfortunately, when I start Orion with SSL turned on, the java process takes all the CPU time. Seems like Orion gets stuck in an endless loop. I have tried this on both Orion 1.0 and 1.1.4 I followed the instruction for setting up a secure site in the dokumentation. Has anybody experienced something similar? /Mattias Arbin Here is my server.xml: ?xml version="1.0"? !DOCTYPE application-server PUBLIC "Orion Application Server Config" "http://www.orionserver.com/dtds/application-server.dtd" application-server application-directory="../applications" deployment-directory="../application-deployments" rmi-config path="./rmi.xml" / !-- JMS-server config link, uncomment to activate the JMS service -- !-- jms-config path="./jms.xml" / -- principals path="./principals.xml" / log file path="../log/server.log" / /log global-application name="default" path="application.xml" / global-web-app-config path="global-web-application.xml" / !-- I have tried with or without the comment below -- !-- web-site path="./default-web-site.xml" / -- web-site path="./secure-web-site.xml" / !-- Compiler, activate this to specify an alternative compiler such as jikes for EJB/JSP compiling. -- !-- compiler executable="jikes" classpath="/myjdkdir/jre/lib/rt.jar" / -- /application-server ..and here is the secure-web-site.xml ?xml version="1.0"? !DOCTYPE web-site PUBLIC "Orion Web-site" "http://www.orionserver.com/dtds/web-site.dtd" web-site host="[ALL]" secure="true" port="81" display-name="Default Orion WebSite" !-- The default web-app for this site, bound to the root -- ssl-config keystore="../../../test/mykeystore" keystore-password="123456" / default-web-app application="default" name="defaultWebApp" / !-- Uncomment this to activate the news app -- !-- web-app application="news" name="news-web" root="/news" / -- !-- Access Log, where requests are logged to -- access-log path="../log/default-web-access.log" / /web-site