subject:"SSL socket timeouts with SolrJ usage of HttpClient"

Re: SSL socket timeouts with SolrJ usage of HttpClient

2015-04-09 Thread Oleg Kalnichevski

On Thu, 2015-04-09 at 10:41 -0400, Karl Wright wrote:
 Hi Oleg,
 
 I've been looking at the tickets for potential issues with SSL socket
 timeout values not being honored in some versions of HttpClient, and I must
 say I'm not clear where things stand.
 
 I have a ManifoldCF user who is seeing socket read timeouts when using
 SSL.  The stack in that case involves the Solr client library (SolrJ).  I
 am passing in an HttpClient instance that's already built:
 
 
 RequestConfig.Builder requestBuilder = RequestConfig.custom()
   .setCircularRedirectsAllowed(true)
   .setSocketTimeout(socketTimeout)
   .setStaleConnectionCheckEnabled(true)
   .setExpectContinueEnabled(true)
   .setConnectTimeout(connectionTimeout)
   .setConnectionRequestTimeout(socketTimeout);
 
   HttpClientBuilder clientBuilder = HttpClients.custom()
 .setConnectionManager(connectionManager)

Karl,
If one explicitly assigns an already initialized connection manager
instance basically all connection manager parameters have no effect.
Please try setting default SocketConfig on connection manager directly.

Oleg 


 .setMaxConnTotal(1)
 .disableAutomaticRetries()
 .setDefaultRequestConfig(requestBuilder.build())
 .setRedirectStrategy(new DefaultRedirectStrategy())
 .setSSLSocketFactory(myFactory)
 .setRequestExecutor(new HttpRequestExecutor(socketTimeout))
 .setDefaultSocketConfig(SocketConfig.custom()
   .setTcpNoDelay(true)
   .setSoTimeout(socketTimeout)
   .build()
 );
 
 
 if (userID != null  userID.length()  0  password != null)
 {
   CredentialsProvider credentialsProvider = new
 BasicCredentialsProvider();
   Credentials credentials = new UsernamePasswordCredentials(userID,
 password);
   if (realm != null)
 credentialsProvider.setCredentials(new
 AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, realm), credentials);
   else
 credentialsProvider.setCredentials(AuthScope.ANY, credentials);
 
   clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
 }
 
 HttpClient localClient = clientBuilder.build();
 
 
 It is remotely possible that SolrJ is modifying a parameter in the client,
 which I am aware would invalidate the builder-based configuration.  So my
 question is simple: IF the HttpClient instance is *not* being configured in
 SolrJ, would you expect the socket timeout to be honored for SSL requests,
 on the current codebase?  

yes.

 Was there ever a time when that was not true?  If

No.

 there's a buried default SSL socket timeout value that would be used if
 configuration was overridden by setting a parameter, what is that value?
 

SSL handshake as well as CONNECT message exchange use socket timeout set
by the connection manager. Request level settings apply only once a
connection has been fully established and routed.

Hope this helps.

Oleg 



-
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Re: SSL socket timeouts with SolrJ usage of HttpClient

2015-04-09 Thread Karl Wright

Hi Oleg,

Can you verify that the following code is not setting any parameter that
will have no effect because of the context in which I'm setting it?  It's
not easy to determine this without looking through much code.


// Initialize standard solr-j.
// First, we need an HttpClient where basic auth is properly set up.
connectionManager = new PoolingHttpClientConnectionManager();
connectionManager.setMaxTotal(1);
connectionManager.setDefaultSocketConfig(SocketConfig.custom()
  .setTcpNoDelay(true)
  .setSoTimeout(socketTimeout)
  .build());

SSLConnectionSocketFactory myFactory;
if (keystoreManager != null)
{
  myFactory = new
SSLConnectionSocketFactory(keystoreManager.getSecureSocketFactory(),
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
}
else
{
  // Use the trust everything one
  myFactory = new
SSLConnectionSocketFactory(KeystoreManagerFactory.getTrustingSecureSocketFactory(),SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
}

RequestConfig.Builder requestBuilder = RequestConfig.custom()
  .setCircularRedirectsAllowed(true)
  .setSocketTimeout(socketTimeout)
  .setStaleConnectionCheckEnabled(true)
  .setExpectContinueEnabled(true)
  .setConnectTimeout(connectionTimeout)
  .setConnectionRequestTimeout(socketTimeout);

HttpClientBuilder clientBuilder = HttpClients.custom()
  .setConnectionManager(connectionManager)
  .setMaxConnTotal(1)
  .disableAutomaticRetries()
  .setDefaultRequestConfig(requestBuilder.build())
  .setRedirectStrategy(new DefaultRedirectStrategy())
  .setSSLSocketFactory(myFactory)
  .setRequestExecutor(new HttpRequestExecutor(socketTimeout));


if (userID != null  userID.length()  0  password != null)
{
  CredentialsProvider credentialsProvider = new
BasicCredentialsProvider();
  Credentials credentials = new UsernamePasswordCredentials(userID,
password);
  if (realm != null)
credentialsProvider.setCredentials(new
AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, realm), credentials);
  else
credentialsProvider.setCredentials(AuthScope.ANY, credentials);

  clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
}

HttpClient localClient = clientBuilder.build();


I'm also getting warnings now for setStaleConnectionCheckEnabled(true).  It
looks like this is now a connection parameter too?  Will all of my
setStaleConnectionCheckEnabled(true) calls now be invalid?

Karl


On Thu, Apr 9, 2015 at 3:03 PM, Oleg Kalnichevski ol...@apache.org wrote:

 On Thu, 2015-04-09 at 10:41 -0400, Karl Wright wrote:
  Hi Oleg,
 
  I've been looking at the tickets for potential issues with SSL socket
  timeout values not being honored in some versions of HttpClient, and I
 must
  say I'm not clear where things stand.
 
  I have a ManifoldCF user who is seeing socket read timeouts when using
  SSL.  The stack in that case involves the Solr client library (SolrJ).  I
  am passing in an HttpClient instance that's already built:
 
  
  RequestConfig.Builder requestBuilder = RequestConfig.custom()
.setCircularRedirectsAllowed(true)
.setSocketTimeout(socketTimeout)
.setStaleConnectionCheckEnabled(true)
.setExpectContinueEnabled(true)
.setConnectTimeout(connectionTimeout)
.setConnectionRequestTimeout(socketTimeout);
 
HttpClientBuilder clientBuilder = HttpClients.custom()
  .setConnectionManager(connectionManager)

 Karl,
 If one explicitly assigns an already initialized connection manager
 instance basically all connection manager parameters have no effect.
 Please try setting default SocketConfig on connection manager directly.

 Oleg


  .setMaxConnTotal(1)
  .disableAutomaticRetries()
  .setDefaultRequestConfig(requestBuilder.build())
  .setRedirectStrategy(new DefaultRedirectStrategy())
  .setSSLSocketFactory(myFactory)
  .setRequestExecutor(new HttpRequestExecutor(socketTimeout))
  .setDefaultSocketConfig(SocketConfig.custom()
.setTcpNoDelay(true)
.setSoTimeout(socketTimeout)
.build()
  );
 
 
  if (userID != null  userID.length()  0  password != null)
  {
CredentialsProvider credentialsProvider = new
  BasicCredentialsProvider();
Credentials credentials = new UsernamePasswordCredentials(userID,
  password);
if (realm != null)
  credentialsProvider.setCredentials(new
  AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, realm), credentials);
else
  credentialsProvider.setCredentials(AuthScope.ANY, credentials);
 
clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
  }
 
  HttpClient localClient = clientBuilder.build();
  
 
  It is remotely possible that SolrJ is modifying a parameter in the
 client,
  which I am aware would invalidate the

Re: SSL socket timeouts with SolrJ usage of HttpClient

Re: SSL socket timeouts with SolrJ usage of HttpClient

2 matches

Site Navigation

Mail list logo

Footer information