Quantcast
Viewing all articles
Browse latest Browse all 1121

WebLogic, dramatic reduction of TLS sessions creation by rejectClientInitiatedRenegotiation

why the TLS Sessions are constantly invalidated, removed from cache and recreated, discovering that it's WLS SSLConfigUtils.configureClientInitSecureRenegotiation() who initiates this:

at sun.security.ssl.SSLSessionContextImpl.remove(SSLSessionContextImpl.java:132)

at sun.security.ssl.SSLSessionImpl.invalidate(SSLSessionImpl.java:673)

at weblogic.socket.utils.SSLConfigUtils.configureClientInitSecureRenegotiation(SSLConfigUtils.java:27)

at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:135)

at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:354)

at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:976)

at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:917)

at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:599)

at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:563)

at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)

at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)

at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)

at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)


the code responsible is:


public static void configureClientInitSecureRenegotiation(SSLEngine sslEngine, boolean clientInitSecureRenegotiation)

{

if (!IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET)

{

if ((sslEngine != null) && (!sslEngine.getUseClientMode()))

{

if (!clientInitSecureRenegotiation) {

sslEngine.getSession().invalidate();

}

sslEngine.setEnableSessionCreation(clientInitSecureRenegotiation);

if (isLoggable()) {

SocketLogger.logDebug(clientInitSecureRenegotiation ? "Enabled" : "Disabled TLS client initiated secure renegotiation.");

}

}

}

else if (isLoggable()) {

SocketLogger.logDebug("TLS client initiated secure renegotiation setting is configured with -Djdk.tls.rejectClientInitiatedRenegotiation");

}

}


so the invalidate() is called only if !clientInitSecureRenegotiation , but it appears that clientInitSecureRenegotiation=isClientInitSecureRenegotiationAccepted is always FALSE





in JSSESocketFactory:

JSSEFilterImpl getJSSEFilterImpl(Socket connectedSocket, String host, int port)

throws IOException

{

SSLEngine sslEngine = getSSLEngine(host, port);

return new JSSEFilterImpl(connectedSocket, sslEngine, true);

}

in JSSEFilterImpl:

public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode)

throws IOException

{

this(sock, engine, clientMode, false); // parameter 4 is isClientInitSecureRenegotiationAccepted, THIS IS ALWAYS FALSE, and clientMode is always TRUE

}



public JSSEFilterImpl(Socket sock, SSLEngine engine, boolean clientMode, boolean isClientInitSecureRenegotiationAccepted) // this constructor is ultimately invoked

throws IOException

{


so the only way to avoid session invalidation is by having IS_JDK_CLIENT_INIT_SECURE_RENEGOTIATION_PROPERTY_SET=false, that is by setting -Djdk.tls.rejectClientInitiatedRenegotiation=false (true or false doesn't seem to matter, as long as the variable is set)


Thanks to Carlo for the excellent analysis.




Viewing all articles
Browse latest Browse all 1121

Trending Articles