Java JSSE SSLEngine cannot resume SSL session

Asked 15/5, 2012 at 16:29 Answered 20/2, 2017 at 16:6

I am writing an application that uses SSLEngine with NIO, I writing both the client and the server. The client is able to connect to the server and after he is connected i want him to be able to perform session resumption / renegotiation, but currently without luck..

As the code that uses the SSLEngine is pretty big (SSLEngine usage is SO complex!) i will write a simple pseudo code that demonstrate the situation:

Server:
    global sslcontext initialized once
    await new client
    client.sslEngine = create new server ssl engine using the global sslcontext
    client.handleHandshake and wait for it to be done
    handle client.

Client:
    global sslcontext initialized once
    sslEngine = create new client ssl engine using the global sslcontext
    performHandshake and wait for it to be done
    disconnect (close gracefully the connection)
    sslEngine = create new client ssl engine using the global sslcontext
    configure engine to not allow session creation
    performHandshake and wait for it to be done

** i am more then willing to post any part of the code that can help (even the full code although as i said it is huge..)

when i executing my program the first connection is successful but the second cause an exception:

javax.net.ssl.SSLHandshakeException: No existing session to resume

did i miss some ingredient that is required for ssl session resumption?

Fanaticism answered 15/5, 2012 at 16:29 Comment(0)

The SSLEngine will only resume sessions if you create it with SSLContext.createEngine(host, port). Otherwise it has no way of knowing who it's talking to, so no way of knowing what SSLSession to join.

Renatorenaud answered 15/5, 2012 at 23:26 Comment(4)

Thank you very very much - you just finished 3 days of endless googeling :) – Fanaticism 16/5, 2012 at 6:23

@Fanaticism It's not documented, and it's not exactly obvious, but when you think about it it must be so ... – Renatorenaud 16/5, 2012 at 7:39

i dont think that it has to be that way - as the SSLEngine is separated from the transport layer, i thought that by using the same SSLContext to create 2 SSLEngines they will share the same SSLSession cache... – Fanaticism 16/5, 2012 at 11:34

@Fanaticism The SSLEngine has only one way of knowing the target IP:port, and this is it. It doesn't see a SocketChannel or a Socket from early in the morning to late in the evening. – Renatorenaud 22/5, 2012 at 22:33

SSLContext should be singleton. You can use netty 4.0.44.Final SslContextBuilder. Works resume session by sessionId.

private  SslContext sslContext;
...

if (serverSSLContext == null) {
    serverSSLContext = SslContextBuilder.forServer(new File("cert.crt"), new File("cert.key")).build();
}
channelPipeLine.addLast(serverSSLContext.newHandler(channelPipeLine.channel().alloc()));

Vixen answered 20/2, 2017 at 16:6 Comment(0)

Recommended topics

Hot tags