Restlet 2.0.8 with the Jetty connecter doesn't resume SSL sessions, while the Simple connecter does

Asked 27/6, 2011 at 7:10 Answered 1/7, 2011 at 3:24

Does anyone know why this is, or how to fix it?

I'm using an android to connect via httpclient - the Simple connector resumes the connection just fine, but Jetty performs a new handshake each time ! The code is the same, it's just what connecter I've got on the build path. Continually redoing the handshake uses up a ridiculous amount of data and battery - the problem is that I require client authentication, which as I've discovered doesn't work properly with the Simple connecter. Is there something I'm missing here? I'm using the standard connection set up as below.

component = new Component();
component.getClients().add(Protocol.FILE);
Server httpsServer = component.getServers().add(Protocol.HTTPS, 444);

Series<Parameter> parameters = httpsServer.getContext().getParameters();

File pwd = new File(".");
String path = pwd.getCanonicalPath();
String keystorePath = path + "/keystore/keypair.jks";

parameters.add("SSLContextFactory", "org.restlet.ext.ssl.PkixSslContextFactory");
parameters.add("keystorePath", keystorePath);
parameters.add("keystorePassword", "xxx");
parameters.add("keyPassword", "xxx");
parameters.add("keystoreType", "JKS");
parameters.add("threadMaxIdleTimeMs", "60000"); //default idle time
parameters.add("needClientAuthentication", "true");

// Guard the restlet with BASIC authentication (encrypted under SSL).
ChallengeAuthenticator guard = new ChallengeAuthenticator(null, ChallengeScheme.HTTP_BASIC, "xxx");

//new pagerreceiver
Restlet resty = new PagerReceiverApplication();

LoginChecker loginVerifier = new LoginChecker();
guard.setVerifier(loginVerifier);
guard.setNext(resty);
component.getDefaultHost().attachDefault(guard);

overrideStatus statusService = new overrideStatus();
component.setStatusService(statusService);

component.start();

Simmonds answered 27/6, 2011 at 7:10 Comment(2)

Is this different from your previous question #5644204? Shouldn't the same solution apply here as you used there? – Kirchner 27/6, 2011 at 7:27

Ah, same problem, but now I have more information - it only worked once I had switched to Simple, hadn't realized it at the time. – Simmonds 1/7, 2011 at 2:58

Not sure what version of Jetty you are using or how it is configured, but looking at http://wiki.eclipse.org/Jetty/Howto/Configure_SSL there is a parameter called allowRenegotiate that defaults to false. Perhaps if you can figure out how to set it to true you'll be able to resume sessions?

Kirchner answered 1/7, 2011 at 3:24 Comment(4)

I believe that flag is false by default to stop the as of yet unfixed SSL renegotiation security vulnerability. I don't think that is needed for session resumption, but I'm not sure - can anyone comment on that? – Simmonds 1/7, 2011 at 13:5

Aaaaannd that's fixed it. Better check if it makes it vulnerable. – Simmonds 1/7, 2011 at 13:59

Open SSL seems to think secure renegotiation is enabled (i guess that means it's fixed?), excellent ! – Simmonds 1/7, 2011 at 14:2

Nice: it took a moment to make the jump from allowRenegotiate to SSL resume. Glad it helped. – Kirchner 1/7, 2011 at 14:8

I haven't tried, but it would be worth trying to use the NIO connector, via Jetty's SslSelectChannelConnector, with Restlet parameter type=1. (The default is to use the SslSocketConnector, with type=2.)

Dawndawna answered 27/6, 2011 at 8:25 Comment(0)

Recommended topics

Hot tags