You 100% sure problem is in SSL/Web layer?
As that big time difference would suggest issue in WSDL processing trying to resolve some XSDs from web...
can you try profiling application/server to see where exactly is time spent?
No, I'm not 100% sure... this was my first thought.
The ws code is exactly the same, I don't see why now I'm getting this strange behaviour.
Would you be so kind to provide me hints on how to activate specific logging for debugging CXF internal code so that I'll try to figure out the problem (if it's there) ?
I have a similar configuration and if I launch openssl client (openssl s_client -connect localhost:8443), the very first request remains locked for many seconds before receiving a response. Subsequent requests are fast. It seems to be a generic Undertow SSL problem, not CXF
Can you reproduce this when serving simple static content, for example file from welcome-content, aka default page we have?
Btw guys what is exact the JDK / OS you are using?
I' running Windows 7 using jdk 1.7.0_40
I'll try to give you timings before monday if I can!
It seems that this behaviour happens with DSA 1024bit self-signed keys.
With DSA 2048bit keys it works perfectly.
This problem applies only using Wildfly 8 Final, using JBoss AS 7.1 no problem happens
- I've used a RSA 2048 bits key for my certificate (thye same for both JBoss and Wildfly).
- I've tried both under Windows 7 and Ubuntu 12.04 LTS using JDK 1.7.0_40
The problem, in my case, was not related to the SSL Layer itself but was about DNS Name Resolution.
I was trying to communicate with a custom device (400Mhz CPU and 128MB RAM) running Linux and OpenSSL 0.9.5.
In every try, I issued the following command to check the SSL connection:
openssl s_client -connect <ip>:443 -debug
I've also tried to use another embedded device running CentOS 6.5 and OpenSSL 1.0.1e-fips. With this one no problem happens neither with Wildfly 8 nor JBoss AS 7.1.
To test the connection I used Wireshark and this is the result, a name resolution query has been issued by the server but failed...
Using JBoss AS 7 no DNS resolution query get issued and evertyhing goes fine, as shown below (JBoss is set to use JSSE, no native Tomcat Connectors):
Forcing name resolution using windows hosts file, obviously, solved the issue.
Who issues that DNS Query?
I've heard about a problem in the SSLEngine implementation on the JVM that use Reverse DNS lookup during the handshake.
Is this the case?
Why doesn't it happen on Jboss AS 7?
Thanks in advance to all
i've updated my answer
Tnx for detailed investigation.
It looks like SSLEngine does lookups based on how it is created.
There are few workarounds how to fix that, can you create jira issue for this in XNIO project https://issues.jboss.org/browse/XNIO
I'll create an issue in the XNIO project,
in the meantime, could you please tell me which workaround could I use?
I worded myself poorly, workarounds are possible in code, aka in xnio itself.
all you could do is to add entry to /etc/hosts
so server would not be timing out trying to resolve himself.
In fact, that's what i did.
In the meantime I've filed a bug in the XNIO project!