Most proably it has something todo with the client ssl session cache. But setting CacheControl="no-store" will have no effect because it has nothing to do with ssl. The Cache Control directive is used to instruct e.g. proxies that it shouldn't cache request or responses.
What you can try is to set Connection="Close" on the http-client. This should force the server to close the connection after one request/response and should hopefully trigger a session cleanup on the client side. If it doesn't work, try to set the -Dsun.security.ssl.allowUnsafeRenegotiation=true System property to see if it works now. But this shouldn't be used in production! On Sat, 4 Feb 2012 14:06:45 -0800 (PST) JKemp <[email protected]> wrote: > > Bernhard Thalmayr wrote > > > > So you don't see a 'ServerHello' in the log? This means the Client > > Request is not seen/received by the server. > > > > You may have to do a network trace and look at the TCP connection(s) > > themselves. > > > > I got some packet captures from the networking team that hosts the > service, but I'm not all that familiar with how to ready the finer > details. It looks like they're kicking back the handshake failure > after they receive our Client Hello, but I'm not sure why that's the > case, since our original connection succeeds: > > > 2844 101259.108606 x.x.67.14 x.x.31.5 SSLv3 > 300 Client Hello > > 2846 101259.190816 x.x.31.5 x.x.67.14 SSLv3 > 73 Alert (Level: Fatal, Description: Handshake Failure) > > I thought it might be an issue with reusing the cached SSL session > (just a wild guess on my part) so I thought if I could disable the > reuse of the session it would start from scratch and work like the > original connection. But like I said, the CacheControl settings > didn't seem to do anything (although, again, I was just guessing that > the "no-cache" setting would have the desired effect of ignoring the > cached SSL session. Is that a valid assumption that that's what the > no-cache setting is supposed to do?) > > Thanks in advance for any help with this. > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Question-on-SSL-caching-tp5455499p5457036.html > Sent from the cxf-user mailing list archive at Nabble.com.
