0

Does anyone know why this is, or how to fix it?

I'm using an android to connect via httpclient - the Simple connector resumes the connection just fine, but Jetty performs a new handshake each time ! The code is the same, it's just what connecter I've got on the build path. Continually redoing the handshake uses up a ridiculous amount of data and battery - the problem is that I require client authentication, which as I've discovered doesn't work properly with the Simple connecter. Is there something I'm missing here? I'm using the standard connection set up as below.

component = new Component();
component.getClients().add(Protocol.FILE);
Server httpsServer = component.getServers().add(Protocol.HTTPS, 444);

Series<Parameter> parameters = httpsServer.getContext().getParameters();

File pwd = new File(".");
String path = pwd.getCanonicalPath();
String keystorePath = path + "/keystore/keypair.jks";

parameters.add("SSLContextFactory", "org.restlet.ext.ssl.PkixSslContextFactory");
parameters.add("keystorePath", keystorePath);
parameters.add("keystorePassword", "xxx");
parameters.add("keyPassword", "xxx");
parameters.add("keystoreType", "JKS");
parameters.add("threadMaxIdleTimeMs", "60000"); //default idle time
parameters.add("needClientAuthentication", "true");

// Guard the restlet with BASIC authentication (encrypted under SSL).
ChallengeAuthenticator guard = new ChallengeAuthenticator(null, ChallengeScheme.HTTP_BASIC, "xxx");

//new pagerreceiver
Restlet resty = new PagerReceiverApplication();

LoginChecker loginVerifier = new LoginChecker();
guard.setVerifier(loginVerifier);
guard.setNext(resty);
component.getDefaultHost().attachDefault(guard);

overrideStatus statusService = new overrideStatus();
component.setStatusService(statusService);

component.start();
user705142
  • 461
  • 5
  • 18
  • Is this different from your previous question http://stackoverflow.com/questions/5643704/reusing-ssl-sessions-in-android-with-httpclient? Shouldn't the same solution apply here as you used there? – Femi Jun 27 '11 at 07:27
  • Ah, same problem, but now I have more information - it only worked once I had switched to Simple, hadn't realized it at the time. – user705142 Jul 01 '11 at 02:58

2 Answers2

1

Not sure what version of Jetty you are using or how it is configured, but looking at http://wiki.eclipse.org/Jetty/Howto/Configure_SSL there is a parameter called allowRenegotiate that defaults to false. Perhaps if you can figure out how to set it to true you'll be able to resume sessions?

Femi
  • 64,273
  • 8
  • 118
  • 148
  • I believe that flag is false by default to stop the as of yet unfixed SSL renegotiation security vulnerability. I don't think that is needed for session resumption, but I'm not sure - can anyone comment on that? – user705142 Jul 01 '11 at 13:05
  • Aaaaannd that's fixed it. Better check if it makes it vulnerable. – user705142 Jul 01 '11 at 13:59
  • Open SSL seems to think secure renegotiation is **enabled** (i guess that means it's fixed?), excellent ! – user705142 Jul 01 '11 at 14:02
  • Nice: it took a moment to make the jump from `allowRenegotiate` to **SSL resume**. Glad it helped. – Femi Jul 01 '11 at 14:08
0

I haven't tried, but it would be worth trying to use the NIO connector, via Jetty's SslSelectChannelConnector, with Restlet parameter type=1. (The default is to use the SslSocketConnector, with type=2.)

Bruno
  • 119,590
  • 31
  • 270
  • 376