[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-ssl] SSLServer still there but do nothing



On Tue, 7 Aug 2001, Changski Zhang wrote:

> Hi Polar,
> Thank you for your reply.
> Below are the env:
> JDK: J2SE 1.3.0_2
> JRE: JRE1.3(which comes with the JDK)
> OS: Windows2000 Server
>
> After out server being locked, I tried to start a java.net.ServerSocket to
> bind the same port witch iaik.security.sslSSLServerSocket had binded,
> and the new java.net.ServerSocket could not start and bind the port,  that
> means the port was still binded by iaik.security.sslSSLServerSocket and
> SSLServerSocket was still listening to that port;
> 2. Tried to connect the port by Telnet and got connection refused, that
> means SSLServerSocket still there but did nothing.

That means that the Socket underneath is still there, but its "backlog" is
full. So, what has happened is that the "Acceptor::Accept" is most likely
not picking up the connections off the server socket. There is something
stopping it.

How many threads to you have running?
I don't know about windows, but on unix machines, you can do a Control-\
and get a dump of the tread stack. Find out where everything is waiting
on.

> I don't have the source of iaik.security.sslSSLServerSocket , so I don't
> understand what happend at that time?
> What's more, this problem comes out randomly after server running several
> hours.

I doubt if it is with the IAIK socket. Most likely there might be
something in your application (a memory leak or something) stuffing it up.
The only other thing I can think of is that your using Windows.

> I really wanna know in which case iaik.security.sslSSLServerSocket can be
> murdered?

Well it's not murdered. But as you can see, you can probably land it a
good denial of service attack by connecting to it very often.

Cheers,
-Polar

> Thanks in advance,
> Changski
>
> -----Original Message-----
> From: Polar Humenn [mailto:polar@adiron.com]
> Sent: Tuesday, August 07, 2001 4:25 PM
> To: Changski Zhang
> Cc: 'iaik-ssl@iaik.tu-graz.ac.at'
> Subject: Re: [iaik-ssl] SSLServer still there but do nothing
>
>
> On Tue, 7 Aug 2001, Changski Zhang wrote:
>
> > Hi, support,
> >
> > OS: WindowsNT 4.0
> > Env: Orbacus4.0.5 with BiDirection +FreeSSL2.0.1+IAIK-JCE2.61c+
> iSaSiLk3.03.
> >
> > Thread models: threaded + thread_per_request.
> > Problem:
> > 	After our server has run for about 2 to 4 hours, it refuses to
> > accept any new connection requests from the client side as if the SSL
> layer
> > is dead, we're saying this because we used to see ORBacus and FreeSSL
> debug
> > messages until that moment, and FSSL debug message stoped here:
> >
> > ssl_debug(n): Starting handshake (iSaSiLk 3.03)...
> > ssl_debug(n): Sending v3 client_hello message, requesting version 3.1...
> >
> > It seems that the SSLServerSocket who is doing the "accept" job is locked.
> > We estimate 20 clients are connected to the server when the failures are
> > happening.
> > Ever heard about such a problem?
>
> > Question:
> > 1. Does FreeSSL2.0.1 support ORBacus4.0.5?
>
> That I don't know. Have you tried Adiron's ORBAsec SL3? It has SSL and
> gives you a proper credentials model. And you can "quote" others, which
> gives you a delegation capability. (We only have Java, but I'm assuming
> that your using java if your mailing to IAIK.).
>
> > 2.  Is it possible that too many threads are alive and a leak is
> > happening so that the SSL layer won't accept any connections?
>
> This very well might be the case. In fact, any thing of this nature is
> possible with NT. Have you tried your servers on another platform, such as
> Linux, or Solaris? What version of the JDK are you using? Or are you using
> some special JVM?
>
> Cheers,
> -Polar
>
>
> -------------------------------------------------------------------
> Polar Humenn                  Adiron, LLC
> mailto:polar@adiron.com       2-212 CST
> Phone: 315-443-3171           Syracuse, NY 13244-4100
> Fax:   315-443-4745           http://www.adiron.com
>

-------------------------------------------------------------------
Polar Humenn                  Adiron, LLC
mailto:polar@adiron.com       2-212 CST
Phone: 315-443-3171           Syracuse, NY 13244-4100
Fax:   315-443-4745           http://www.adiron.com

--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl