Hello, we are using the Apache Harmony SSLSocket classes to solve a problem we were having with SSL renegotiation. However, recently our production admin noticed that our SSL client was not automatically failing over to a secondary machine that exists behind a load balancer or redistributor in cases where a server goes down (either unexpectedly or for maintenance). We are using the Sun JVM and not the Apache Harmony version. He mentions the following:
Our investigation found that once Java based clients (both standalone applications, and servlets) have performed the first network access (i.e. urlconnection, parsing of xml document with external references, etc) they cache DNS settings, so any subsequent client request will use its old DNS information even if the real DNS settings have changed. To reset everything, you have to restart the client application since the default JVM setting is to cache forever. The InetAddress class has a cache to store successful as well as unsuccessful host name resolutions. The positive caching is there to guard against DNS spoofing attacks. He goes on to discuss how the caching can be disabled. I know your SSLSocket implementation uses SSLEngine and does low-level socket based communication so I did not think his analysis may fit our situation. Furthermore, I am not convinced that we are having this problem but our development and test environments do not have a distributor/load balancer in front of the actual host machines. I know in production we are configured to connect to the distributor, not one of the actual hosts. I am wondering if you were aware of any caching of DNS information that may be going on inside the SSLSocket class and dependant code that we are using using? I could not find any references to the InetAddress class mentioned above in any of the Harmony source I have. The x-net.jar file that we are using has a last modified date of October 28, 2006 8:27:58 PM. The last modified date of luni.jar is the same. These are the only two Apache Harmony libraries we are using. Any information you have pertaining to this problem is greatly appreciated Regards, Gerald Jerome
