-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
1.4.0
-
generic
-
generic
Name: pa48320 Date: 10/03/2002
We are seeing performance issues with JSSE using JVM 1.4 on any platform. We are using JSSE 1.0.2 for Server authentication. These are the steps followed:
This sample code tests the JSSE communication on the Server.
This code tests the server authentication.
To run the code, first run Server and then Client.
The Client will make an SSL connection to the Server
and will exchange some dummy data. If this goes through,
it means that SSL connectivity is working fine.
Usage:
java Server user.pfx
java Client user.jks
NOTE:
JSSE has to be installed. The 3 jar (jsse.jar, jcert.jar, jnet.jar) files have to be present in
java-home/lib/ext directory.
user.pfx contains the Server's private key.
user.jks has its corresponding public certificate
that the client has to load in its truststore.
--------------------------------------------------------------------
client.java source
import java.net.*;
import java.io.*;
import javax.net.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import com.sun.net.ssl.*;
import java.security.KeyStore;
import java.security.*;
public class client {
public static void main(String args[]) throws Exception {
String host="localhost";
int port=7000;
DataInputStream dis;
DataOutputStream dos;
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
try {
SSLSocketFactory factory = null;
try {
SSLContext ctx;
TrustManagerFactory tmf;
KeyStore ks;
char[] passphrase = "novell".toCharArray();
ctx = SSLContext.getInstance("SSL");
tmf = TrustManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("JKS");
SecureRandom sr = new SecureRandom();
sr.nextInt();
ks.load(new FileInputStream(args[0]), passphrase);
tmf.init(ks);
ctx.init(null, tmf.getTrustManagers(), sr);
factory = ctx.getSocketFactory();
} catch (Exception e) {
throw new IOException(e.getMessage());
}
Socket socket = (SSLSocket)factory.createSocket(host, port);
---------------------------------------------------------------------
server.java source
import java.io.*;
import java.net.*;
import java.security.KeyStore;
import javax.net.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import com.sun.net.ssl.*;
import java.security.*;
public class server {
public static void main(String args[])
{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
DataInputStream dis;
DataOutputStream dos;
int port=7000;
try
{
ServerSocketFactory ssf =
server.getServerSocketFactory(args[0]);
ServerSocket ss =ssf.createServerSocket(port);
System.out.println("Server: socket created.keystore is set");
try
{
Socket socket = ss.accept();
System.out.println("Server: connection accepted");
System.out.println("Accepted connection (" + socket.getLocalAddress() + ", " +
socket.getLocalPort() + ") -> (" +
socket.getInetAddress() + ", " +
socket.getPort() + ")");
dis = new DataInputStream(socket.getInputStream ());
dos = new DataOutputStream (socket.getOutputStream ());
System.out.println("Server: i/o streams set");
int c=dis.readInt();
System.out.println("\nServer read the data "+c);
socket.close();
System.out.println("Server: Closed connection");
}
catch(EOFException e1)
{
System.out.println("end of file reached.....");
e1.printStackTrace();
}
catch (IOException e)
{
System.out.println("Class Server died: " + e.getMessage());
e.printStackTrace();
return;
}
}
catch (IOException e)
{
System.out.println("Unable to start Server: " +
e.getMessage());
e.printStackTrace();
}
}
private static ServerSocketFactory getServerSocketFactory(String file) {
SSLServerSocketFactory ssf = null;
try {
SSLContext ctx;
KeyManagerFactory kmf;
KeyStore ks;
char[] passphrase = "novell".toCharArray();
ctx = SSLContext.getInstance("SSL");
kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("PKCS12");
SecureRandom sr = new SecureRandom();
sr.nextInt();
ks.load(new FileInputStream(file), passphrase);
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, sr);
ssf = ctx.getServerSocketFactory();
return ssf;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
---------------------------------------------------------------------
At the server side:
The PFX file containing the private key of the server is loaded into the PKCS12 type Keystore of the server. The JSSE KeyManagerFactory is initialized with the KeyStore loaded with the PFX file. The SSLContext is then initialized with the key managers. A server socket is created with all the above properties set and is made to listen on a particular port.
At the client side:
The public certificate of the server to be authenticated is stored as a DER file for establishing trust. The DER file obtained is simply a X509 certificate and it has to be converted to a valid standard as either a PKCS12 or a JKS type. The JSSE TrustManagerFactory is initialized with the TrustStore loaded with the DER file. The SSLContext is initialized with the trust managers. A socket is created and client connects to the server on the port it listens and initiates the SSL handshake.
If the authentication is successful then a secure channel is established using SSL as the underlying mechanism.
Performance:
With JSSE we have observed a lot of performance issues. The time taken for the server authentication is drastically slow in the order of a few tens of seconds. Loading the Keystore takes around 5 to 10 seconds, initializing the Trust/Key Manager takes 5 to 10 seconds and initializing the SSL Context takes 10 to 15 seconds.
Basically with JDK1.4 performance of JSSE seem to be slightly better improving over a few seconds.
(Review ID: 165205)
======================================================================