Java Security and Networking

Sean Mullan: Using more recent Apache XML Security Libraries with JDK 6 or JDK 7

Sean Mullan — Thu, 01 Oct 2009 01:57:48 PDT

This question has come up in user forums quite a bit: "how can I use a more recent Apache XML Security library with the XML Signature APIs (JSR 105) in JDK 6 and JDK 7?" Most of the time, you will not need to do this. Our JDK 6/7 XML Signature implementation is based on Apache XML Security and we try to keep up with the latest release. However, there may be a bug fix or new algorithm that you really need and are willing to depend on a more recent version of the Apache XML Security library that has that fix. Here is what you need to do if so: Place the Apache xmlsec.jar in the endorsed...

Sean Mullan: Using stronger XML Signature Algorithms in JDK 7

Sean Mullan — Fri, 24 Jul 2009 02:07:10 PDT

One of the new features of the XML Signature 1.1 specification, which is currently in draft review, is the addition of stronger cryptographic algorithms to the REQUIRED algorithms, such as the RSAwithSHA256 SignatureMethod algorithm. Additional RECOMMENDED and OPTIONAL algorithms have also been added. See section 6.1 for a complete list of algorithm requirements. In JDK 7, you can already use many of these stronger XML Signature algorithms in your Java applications. The following algorithms are newly supported: the RSAwithSHA256, RSAwithSHA384, RSAwithSHA512 signature algorithms and the...

Xuelei Fan: Document published: SunJSSE FIPS 140 Complient Mode

XueLei.Fan — Sat, 18 Jul 2009 09:27:15 PDT

If you review the online JSSE Reference Guide recently, you would found that in the section, Related Documentation, there is a new link to the just published document FIPS 140 Compliant Mode for SunJSSE

Xuelei Fan: Dump PKCS11 Slot Info

XueLei.Fan — Fri, 17 Jul 2009 23:59:10 PDT

Recently, I needed a tool to show the detailed PKCS11 slot information. Cryptoadm is a good utility to display cryptographic provider information for a system, but it does not show me the "ulMaxSessionCount" field, which was important to me at that time, I was eager to know what's the maximum number of sessions that can be opened with the token at one time by a single application. Google did not help this time, so I had to write a simple tool by myself. Past the code here, maybe one day, it will save me a lot time when I need such a detailed slot info. Compile the codes with:$gcc cryinfo.c -o...

Xuelei Fan: An Aggregate of Feeds: Top Influencers on IT Security

XueLei.Fan — Sun, 12 Jul 2009 22:52:11 PDT

An aggregate of feeds, http://feeds.feedburner.com/influenceronsec, from Bruce Schneier, Alan Shimel, and more.

Xuelei Fan: Enable OCSP checking

XueLei.Fan — Wed, 01 Jul 2009 12:55:43 PDT

If a certificate is issued with a authority information access extension which indicates the OCSP access method and location, one can enable the default implementation of OCSP checker during building or validating a certification path. Maybe you need to check your certificate firstly, in the purpose of making sure it includes a OCSP authority information access extension: #${JAVA_HOME}/bin/keytool -printcert -v -file target.cert You are expected to see similar lines in the output: #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 ...

Xuelei Fan: An Aggregate of Feeds on Java Security and Networking

XueLei.Fan — Thu, 25 Jun 2009 01:12:50 PDT

To facilitate keeping track of blogs on java security and networking, I just created an aggregate of feeds, http://feeds.feedburner.com/javasec, and subscribed it to my feed reader, thunderbird. If you are blogging on Java security or networking, please let me know, I would like subscribe to your feed and add it into the aggregator Of course, you are welcome to subscribe to the aggregated feed, http://feeds.feedburner.com/javasec.

Xuelei Fan: TLS and NIST'S Policy on Hash Functions

XueLei.Fan — Wed, 17 Jun 2009 21:15:55 PDT

NIST'S Policy on Hash Functions March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key...

Xuelei Fan: Publicly Accessible LDAP Servers

XueLei.Fan — Tue, 16 Jun 2009 00:31:35 PDT

In order to learn JNDI, one needs a LDAP server for various purpose. In the JNDI tutorial, there are a few of publicly accessible servers documented[1]. However, the list is too old, and those servers are out of services. By Google, Found the following two collections[2][3] of public accessible LDAP servers. And thanks to Ludovic, who commented that FreeLDAP.org is an alternative. FreeLDAP.org[4] is a free LDAP service that you can add yourself entries, and best of all, it provide the service base on SSL and requires individual authentication, which is handy to for the examples that need...

Xuelei Fan: JSSE Troubleshooting: Certificates Order in TLS Handshaking

XueLei.Fan — Mon, 15 Jun 2009 14:45:19 PDT

Issue: Failed with a exception: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed. Example: Test case: 1 // 2 // JSSE Troubleshooting: Disordered Certificate List in TLS Handshaking 3 // 4 import java.net.*; 5 6 public class DisorderedCertificateList { 7 public static void main(String[] Arguments) throws Exception { 8 URL url = new URL("https://myservice.example.com/"); 9 URLConnection connection = url.openConnection(); 10 11 connection.getInputStream().close(); 12 } 13 } Test environment: The HTTPS server, myservice.example.com, is configurated with...

Xuelei Fan: RSA AlgorithmIdentifier of X.509 Certificate

XueLei.Fan — Fri, 12 Jun 2009 00:53:36 PDT

By far, RSA is a most wide used cryptography algorithm. Both ITU-T X.509 and IETF PKIX WG define the RSA algorithm identifier, however, they are not identical. ITU-T X.509[1] defines the algorithm as: rsa ALGORITHM ::= { KeySize IDENTIFIED BY id-ea-rsa } KeySize ::= INTEGER id-ea-rsa OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) ds(5) algorithm(8) encryptionAlgorithm(1) rsa(1)} While IETF PKIX WG[2] defines the algorithm as: rsaPublicKey ALGORITHM-ID ::= { OID rsaEncryption PARMS NULL } rsaEncryption OBJECT IDENTIFIER ::= {iso(1)...

Sean Mullan: Hope to see you at our Java Security BOF next week at JavaOne

Sean Mullan — Fri, 29 May 2009 01:45:15 PDT

Just a reminder that we'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". It is on Wednesday at 6:45 PM in Gateway 102/103 in the Moscone Center. We plan to have a short presentation on the latest security features in JDK 6, JDK 7 and JavaFX. Then, we are going to show a demo of the new blacklist mechanism in the just-released JRE 6u14. The remaining time will be for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help answer them.

Xuelei Fan: JSSE Debug Logging With Timestamp

XueLei.Fan — Fri, 29 May 2009 01:17:16 PDT

These days, I was asked about a strange network delay of input/output stream when migrating a TLS protected application to a new platform. The application is built on top of SunJSSE. They enabled debug with option "-Djavax.net.debug=all", however, because there is no timestamp in the debug output, the debug logging was not of much help. Is there any way to enable JSSE debug logging with timestamp? Definitely, the answer is YES. It is straightforward. Firstly, create a class extends PrintStream,and override all println() methods. I used a static nested class here. ...

Xuelei Fan: Understanding Self-Issued Certificate

XueLei.Fan — Thu, 28 May 2009 02:10:43 PDT

Certificate Types RFC5280 categorize certificate into two classes: CA certificates and end entity certificates, and CA certificates are divided into three classes: cross-certificates, self-issued certificates, and self-signed certificates. certificate +- CA certificate +- cross-certificate +- self-issued certificate +- self-signed certificat +- end entity certificate "Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two...

Chris Hegarty: See you at JavaOne

chegar — Mon, 25 May 2009 00:50:36 PDT

Well it's that time of year again, JavaOne has come around so quickly. This year I'll be co-presenting on BOF-5087: All Things I/O with JDK™ Release 7 with Alan. I'm happy to have the opportunity to tell you about what we've been up to in the networking area, as well as give an update on the state of SCTP in the JDK. I've also been prototyping a cool way of leveraging SCTP multi-homing without having to change your app. This BOF is a great opportunity to ask questions and discuss any aspects of file or networking I/O. Please come along.

Xuelei Fan: SunJSSE and TLSAES

XueLei.Fan — Sat, 23 May 2009 00:16:53 PDT

TLSAES defines AES ciphersuites for TLS, and from TLS version 1.1, the AES cipher suites are merged in TLS specification. The AES supports key lengths of 128, 192 and 256 bits. However, the TLSAES specification only defines ciphersuites for 128-bits and 256-bits keys. In Java security context, there is a important concept, "jurisdiction policy". The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). Any...

Xuelei Fan: FIPS 140 Compliant Mode for SunJSSE

XueLei.Fan — Fri, 22 May 2009 11:06:02 PDT

In the Java™ 6 Security Enhancements, it says that "The SunJSSE provider now supports an experimental FIPS 140 compliant mode. When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant." Except that, we cannot find any more document on how to enable FIPS mode and how the FIPS mode works with SunJSSE. Normally, developers could a few hints from Andreas blog,. The Java PKCS#11 Provider and NSS, althought it is far from enough to understand the FIPS mode of SunJSSE. The following...

Chris Hegarty: SCTP in Java

chegar — Tue, 19 May 2009 23:25:33 PDT

Providing support for Stream Control Transport Protocol (SCTP) in Java has been approved as one of the features for JDK7, and the work of defining the API and reference implementation was done through the SCTP OpenJDK project. This work was integrated into JDK7 Milestone 3 and is available in all future promotions. Brief Introduction to SCTP The Stream Control Transport Protocol (SCTP) is a reliable, message-oriented, transport protocol existing at an equivalent level with UDP (User Datagram Protocol) and TCP (Transmission Control Protocol). SCTP is session oriented and an association...

Xuelei Fan: Please remove the unsafe dependence on Permission.toString()

XueLei.Fan — Tue, 12 May 2009 17:31:17 PDT

Recently, we made a correction on the implement of java.security.Permission.toString(). The specification says, "Returns a string describing this Permission. The convention is to specify the class name, the permission name, and the actions in the following format: '("ClassName" "name" "actions")'."[1] That is, the specification requires all components, ClassName, name, and actions, to be enclosed in double quotes, but JDK implementation of this method ignores this requirement, which returns string without double quotes. It seems that double quotes make sense, to differentiate...

Max Wang: Subscribe to a mail list and start replying immediately

wangwj — Fri, 24 Apr 2009 23:31:53 PDT

Sometimes I browse through archives of a mail list and find some topics very interesting. I subscribe it, but only new messages come to my mail client, and those topics I found interesting initially won't appear anymore. How I wish I can reply to those topics. If it's also hosted on Google Groups, that's great. Just reply to it there. If you don't want to keep using your Google Account in the discussion. Reply with some nonsense in Google Groups, and then reply with your real identity after that nonsense reaches your mail box. If the list is available on gmane.org, you may be able to...

Sean Mullan: Come to our Java Security BOF at JavaOne 2009

Sean Mullan — Fri, 24 Apr 2009 01:19:08 PDT

We'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". This is sure to be an interesting BOF, as we'll go over all of the latest security features that we have added to JDK 6 and new ones that are targeted for JDK 7. We also plan to show a demo of some of the features. There should be plenty of time for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help answer them. I'll add more details as we get closer to JavaOne.

Max Wang: Fedora 10

wangwj — Tue, 21 Apr 2009 18:03:08 PDT

Trying to install it again. Last time (probably F8) it does not support GUI login as a NIS user. GDM hangs. Hope it's fine now. Will see if it's a better system building OpenJDK. Update: NIS account can login, no +::: lines needed. However, system goes unstable when trying to change network setting to manual IP. Re grub-install and now back in Ubuntu. Anyway, OS is there now, might try again someday.

Max Wang: Several Enhancements for JarSigner

wangwj — Sun, 19 Apr 2009 11:55:31 PDT

There're several enhancements to the jarsigner tool in OpenJDK lately. First, jarsigner accepts a new option -certchain file to use a certificate chain in an external file. People can using PKCS #11 tokens to store their private keys. Some of these tokens are so small that there's no place to store the certificate chain inside it. Although you can access it with a KeyStore.getInstance("pkcs11"), the getCertificateChain() method returns nothing. Now you can use jarsigner with this kind of tokens, using the token as the keystore, but point your certchain to another file that contains the...

Brad Wetmore: Would 6 units of band class qualify me for a free JavaOne 2009 pass?

Brad Wetmore — Fri, 17 Apr 2009 13:23:45 PDT

The worst thing about graduating and getting a job in the real world is that all the cool benefits dried up. Student rates on travel, movie passes, food...etc. I just noticed an offer on the J1 web site that appears to allow students (6 units or more) to get a free, FULL JavaOne 2009 conference pass. Even as a Sun employee, I only get a limited pass. Which got me thinking: I'm currently taking a 1 unit music performance class at a local community college. If I sign up for 5 more of these classes, would that qualify? Hm...I should check with my manager...

Sean Mullan: New API to indicate the reason a certificate chain was invalid

Sean Mullan — Fri, 03 Apr 2009 04:39:42 PDT

In JDK 7, we have added a new method (getReason) to the java.security.cert.CertPathValidatorException class which returns an object indicating the reason a certificate chain, or CertPath, is invalid. Previously, there was no standard mechanism to determine the reason of failure, and applications had to depend on the exception message or the cause which could vary based on the underlying service provider implementation. The getReason method returns an instance of CertPathValidatorException.Reason, which is an interface. There are 2 subclasses of this interface. One is BasicReason which is an...

Sean Mullan: New CertificateRevokedException class in JDK 7

Sean Mullan — Fri, 27 Mar 2009 01:44:19 PDT

There is a new CertificateRevocationException class in JDK 7 in the java.security.cert package that indicates that an X.509 certificate is revoked and also allows you to determine additional information such as the reason the certificate has been revoked and when it was revoked. The getRevocationReason method returns a CRLReason, which is a new enum class that enumerates the different reasons an X.509 certificate can be revoked, such as compromise of the private key. In JDK 7, The Sun PKIX CertPathValidator service provider implementation has been enhanced to throw this exception....

Sean Mullan: Greetings

Sean Mullan — Fri, 20 Mar 2009 05:49:12 PDT

Hello everyone. Although I have been with Sun for over 10 years, this is my first blog entry at blogs.sun.com. I already have a blog over at java.net (http://weblogs.java.net/blog/mullan/), but for now I will be posting new entries right here at blogs.sun.com. I may still update my blog at java.net from time to time, or figure out a way to cross-post my entries. A little about myself. I work on the Java Security Team and have spent almost 10 years working on the Java SE security technology. I was specification lead of JSR 55 and co-specification lead of JSR 105, both successful APIs that...

Xuelei Fan: Patch Solaris system from the Command-Line Interface

XueLei.Fan — Tue, 24 Feb 2009 23:56:44 PST

It is midnight, and I have to get my solaris platform patched in order to build a OpenJDK project. I'm working remotely with no-gui terminal, so I have to find a command line approaches. Thanks to SunSolve, I find the way at last. Bookmark them here for reference. Here is a pretty detailed guide[1] on how to register my solaris system, and Here is a short summary on the tools used to patch the system[2], and there is a detailed one[3]. [1]: http://sunsolve.sun.com/search/document.do?assetkey=1-9-82688-1 ...

Max Wang: Another new keytool enhancement: -printcert -sslserver

wangwj — Sun, 22 Feb 2009 15:40:51 PST

Andreas has written a blog entry on retrieving certificates from an SSL server. Whenever I see someone asking this question on the Java forum I point the user to this entry. Now it's time for this function to be included in keytool. Call keytool -printcert -sslserver sun.com to see what's shown. During the implementation of this feature, there are some discussions on how the function should be called. Two topics are most interesting: What's the function name? At first, the plan is to add a new function to import the certificate into a keystore. The command will look like "-importcert...

Max Wang: keytool enhancements

wangwj — Sun, 22 Feb 2009 12:59:12 PST

There're two enhancements made to keytool today (the doc has not been updated, it's still for JDK 6): new commands and options We have 2 new commands: -gencert, -printcertreq and 1 new option -ext. Read the RFE descriptions. -printcertreq is simply for printing the content of a certificate request. It behaves like the -printcert command, reading a PKCS #10 format cert req from a file or stdin, and does not need a keystore to run with. -gencert is a big enhancement, which means you can setup a tiny CA now with keytool. The command reads a certificate request from a file (specified by...

Brad Wetmore: Extra! Extra! Read all about it! OpenJDK Bugzilla Goes Live!

Brad Wetmore — Fri, 06 Feb 2009 12:50:04 PST

News at 11...or whenever the moderator on "announce at openjdk dot java dot net" approves my message...or just go to: http://openjdk.java.net/groups/web/bugzilla.html (Apologies to my younger or international readers if the title of this entry didn't make any sense.)

Brad Wetmore: Update on the OpenJDK Bugzilla instance.

Brad Wetmore — Sun, 01 Feb 2009 13:42:26 PST

I've recently been leading the effort to get our OpenJDK Bugzilla instance in place, and just wanted to let folks know that we're pretty close. I took some time over the last couple days to take a snapshot of what we have and what's planned for the near and somewhat longer future. The short story is that we'll begin by tracking contributions from OpenJDK developers who do not have push rights to the JDK 6 and 7 forests. The next phase will expand the system to track most if not all of the OpenJDK projects under development. The longer story is now available on the OpenJDK...

Max Wang: Small Enhancements to HGrev

wangwj — Tue, 20 Jan 2009 17:10:45 PST

I've enhanced http://hgrev.appspot.com a little. Now the patch view has links to previous and new codes in raw form, so that you can download it directly to try on your own computer.

Max Wang: Who Moved My krb5.ini?

wangwj — Sun, 18 Jan 2009 18:59:47 PST

Java Kerberos 5, on Windows, looks for a config file named krb5.ini in the Windows directory, and a Windows directory is defined as the return value of the Win32 API GetWindowsDirectory(), which should normally return something like C:\Windows. But, since Windows Server 2003, something has changed. The Terminal Services Programming Guidelines has these words: In a Terminal Services environment, the Windows directory is guaranteed to be private for each user. So this means if your (post Windows 2003) system has Terminal Services turned on, Java would look for krb5.ini inside...

Max Wang: NetBeans C++ is Cool

wangwj — Thu, 15 Jan 2009 17:04:08 PST

Although I use NetBeans a lot writing Java, I've never really tried its C/C++ Pack before. Today I need to read some MIT Kerberos codes. There's a long time I haven't worked heavily on C so I find it quite difficult to find out which function does what and where it's defined. And then, I think of NetBeans, it's very good at parsing Java codes and give you multiple ways to navigate through the method calls and field definitions. How about trying it for C? So I fire up NetBeans and go download the C/C++ pack. It's a huge 5MB module that takes care of projects, editing, debugging all in one...

Max Wang: Picasa for Mac

wangwj — Wed, 07 Jan 2009 16:23:18 PST

I'm happy to become a Picasa user again. For the last two years, I use Finder and Preview to take care of all my photos. It's a very difficult job － I leave quite some duplicates here and there, and I dare not edit photos except rotating them. I hate iPhoto, I don't want the files be moved to somewhere else, and I feel bad when I don't know what it's doing and how it stores things. Now I can do the so-called non-destructive edit again. Picasa for Mac still recognizes all previous edit made in Windows, the Picasa.ini file I mean. It would update the file if you make more edit. When there's...

Max Wang: OpenSolaris on Bare Metal

wangwj — Tue, 06 Jan 2009 13:50:45 PST

Finally I decide to install OpenSolaris on the bare metal, and probably use it as a nightly build machine. Create a USB installer using usbcopy Boot from this USB disk and install Reboot, disable network/physical:nwam, enable multicast and network/physical:default, call sys-unconfig Reconfigure the machine Reboot again I hadn't enabled/disabled the services first time when I run sys-unconfig, and the machine cannot reboot complaining avahi-bridge-dsd cannot start. Fortunately I can login to single user mode and do that again. I'm learning how to give more privileges to my NIS user...

Xuelei Fan: Understanding TLS protocol -- Client Certificate URLs

XueLei.Fan — Mon, 29 Dec 2008 16:21:57 PST

For better understanding TLS protocol extensions, I draw a few sequence diagrams of TLS handshaking with extension, and marked the differences from the normal handshaking processes. Share them now. For legible image, please open the following image in new page or download the raw image from here.

Xuelei Fan: Understanding TLS protocol -- Certificate Status Request

XueLei.Fan — Mon, 29 Dec 2008 16:07:24 PST

Xuelei Fan: Understanding TLS protocol -- Maximum Fragment Length Negotiation

XueLei.Fan — Mon, 29 Dec 2008 16:02:24 PST

Xuelei Fan: Understanding TLS protocol -- Truncated HMAC

XueLei.Fan — Mon, 29 Dec 2008 15:56:19 PST

Xuelei Fan: Understanding TLS protocol -- Trusted CA Indication

XueLei.Fan — Mon, 29 Dec 2008 15:52:51 PST

Xuelei Fan: Understanding TLS protocol -- Server Name Indication

XueLei.Fan — Mon, 29 Dec 2008 15:42:47 PST

Brad Wetmore: You can teach a somewhat older dog new tricks-OpenSolaris 2008.11: Wow!

Brad Wetmore — Thu, 18 Dec 2008 13:30:16 PST

Way back in grad school (early 90's), I was called in to assist in the investigation of an internet porn exchange ring. The ring was using some unsecured FTP servers belonging to our state's government. Our team finished our initial assessment and called in the State Police to report our findings. I will never forget that day as long as I live. I said, "Yes, you've got a problem" and brought up one of the tamer images. This career cop was two years away from retirement, and he just rolled his eyes and said "I'm too old for this, I don't get this new technology."...

Max Wang: mechListMIC in SPNEGO

wangwj — Tue, 16 Dec 2008 11:37:36 PST

I try hard to understand when should mechListMIC be generated in SPNEGO, but still find the specification (RFC 4178) confusing. I'd like to interpret it this way: If the chosen mech is the first one in the list, don't bother to create it Generate the MIC whenever you think you can do it, i.e. mech's isEstablished() is true Response to a MIC whenever you receive one In case you believe the incoming token should have the MIC but it hasn't, if it's already marked COMPLETE, you go COMPLETE also. Otherwise, it may be expecting a MIC from you, either create the MIC and send back, or send back...

Brad Wetmore: Consolidation of the JSN and TL gates.

Brad Wetmore — Wed, 12 Nov 2008 07:54:40 PST

For the last 4 years, I've been the "Gatekeeper" for the Java Security and Network (JSN) team. Gatekeepers are those under-appreciated but highly necessary folks who make sure that new changes work, and play nicely with what's already there. We're only as good as our test cases, but not all developers are as diligent about running everything that's available. A month ago, I was asked to take on a project to support the OpenJDK project. In order to free up time, we decided to decommission the JSN gate, and transition the JSN developers to the Tools and Libraries (TL) gate...

Xuelei Fan: Understanding TLS protocol -- connection states

XueLei.Fan — Mon, 22 Sep 2008 20:33:30 PDT

The TLS connection states diagram, which is not a standard UML state diagram, but I think it help to illustrate the connection state clearly.

Xuelei Fan: Understanding TLS protocol -- handshaking renew

XueLei.Fan — Mon, 22 Sep 2008 20:18:48 PDT

For better understanding TLS protocol, I draw a few sequence diagrams of TLS handshaking, along with the connection states. Share them now. This is the sequence diagram of handshaking renew, for legible image, please open the following image in new page or download it from here.

Xuelei Fan: Understanding TLS protocol -- handshaking resume

XueLei.Fan — Mon, 22 Sep 2008 20:18:37 PDT

For better understanding TLS protocol, I draw a few sequence diagrams of TLS handshaking, along with the connection states. Share them now. This is the sequence diagram of handshaking resume, for legible image, please open the following image in new page or download it from here.

Xuelei Fan: Understanding TLS protocol -- handshaking kickoff

XueLei.Fan — Mon, 22 Sep 2008 20:18:25 PDT

For better understanding TLS protocol, I draw a few sequence diagrams of TLS handshaking, along with the connection states. Share them now. This is the sequence diagram of handshaking kickoff, for legible image, please open the following image in new page or download it from here.

Max Wang: Mark Bristow, Today's Gold Medalist

wangwj — Mon, 08 Sep 2008 19:08:15 PDT

Silicon Valley? That's Sun Microsystems. Congratulations!

Max Wang: LiveCD of OpenSolaris in VMWare

wangwj — Mon, 25 Aug 2008 13:51:22 PDT

Normally I don't like running an OS as a LiveCD on a bare metal machine because accessing CD-ROM is too slow and makes very big noises. However as a VMWare guest, since the CD-ROM is in fact an ISO file on the hard disk, I guess the speed should be quite fast, I'm quite happy to only run it on the LiveCD. So I creates a new Virtual machine with two CD-ROM drives, put the LiveCD in the 1st one and the VMTools into the 2nd. When the system CD boots up, I will be able to install VMTools from the 2nd CD. This works quite fine for Ubuntu and the VMTools is installed correctly. But for...

Max Wang: F9 (Compile) for NetBeans Missing

wangwj — Sun, 03 Aug 2008 14:28:30 PDT

Just downloaded the latest DEV version of NetBeans, haven't done it for several weeks. One thing that confuses me is that F9 seems does not work for individual files in a Java project anymore. Pressing F9 has no impact, the edited Java file still shows an asterisk sign in the editor pane header, still dirty, not even saved. Looking at the right mouse menu of the file, and the compile item is grayed not completely. Strange, isn't it? Then I suddenly realized this might be because of the newly introduced compile-on-save feature. I try to add some runtime error into my Java file and save...

Max Wang: my webrev experiment: public, interactive and easy

wangwj — Wed, 11 Jun 2008 14:27:10 PDT

Inside Sun, we use webrev to do code reviews, you can see an example here. Well, there're several reasons I don't like webrev very much: It's a pile of static files, you must first create them, and upload them to a public website (possibly one by one). It used to be a nice archive of what you've done, but now in Mercurial we already have changesets. It includes no interactive review process OK, only the first reason is real. I just cannot resist the temptation to create a list. Recently I've done some experiments on creating a new review style which is meant to be: Public, the patch...

Max Wang: location.replace

wangwj — Wed, 04 Jun 2008 11:46:50 PDT

Just write a long web page using location.replace to move around to different corners of it. Find out these incompatibilities between different browsers: Firefox is fine Opera and WebKit save a history item for each replace call, which I don't like IE is not aware of javascript-generated anchors

Brad Wetmore: He Is He, Don Quixote: The Lord of La Mancha!

Brad Wetmore — Tue, 03 Jun 2008 09:02:35 PDT

Folks have been asking what I'm up to outside of work. Way too many things for one blog entry, so I'll focus on the most recent. As you may know, one of the things I'm quite passionate about is music and performance. I'd started with church choirs, but I'd say I got really passionate about music in 5th grade, when I had to choose an instrument for the school band. I can't believe how practical I was back then: I asked myself what instrument(s) will allow me to do the most types of music. (pretty impressive for a 5th grader, no?) The answer was obvious: ...

Max Wang: SSH with Kerberos? No!

wangwj — Sun, 25 May 2008 20:31:47 PDT

In the last few days, my SSH connection from home to office is very very slow. However, when it's connected, the speed is not so bad. After some -vvv debug, it seems the SSH client waste a lot of time before showing a line "Cannot resolve network address for KDC in requested realm". What? SSH is using Kerberos? That's bad. Well I have done some Kerberos programming jobs recently on this computer, but I never meant to tell SSH to use it. Finally I add these 2 lines into ~/.ssh/config, and now it's much faster. Host * GSSAPIKeyExchange no

Max Wang: NetBeans with SoyLatte: The Missing Menu Items

wangwj — Fri, 23 May 2008 18:20:16 PDT

If you also use SoyLatte to run NetBeans, you'll notice that there's no menu items for Exit, About and Options. Normally, Mac programs put them into the application name menu. With SoyLatte, NetBeans runs in the X11 window environment, where the application menu belongs to X11.app. This is how I add them, the easiest way: Open the Tools | Plugins dialog, select the Setting tab, and click "Proxy Settings" Options dialog appears, click "Advanced Options" at the lower left corner Expand "IDE Configuration | Look and Feel | Actions", locate "System | Exit", "Help | About" and "Window...

Max Wang: cronjobs on Ubuntu

wangwj — Thu, 22 May 2008 13:18:31 PDT

There's some network problems in the office, and my cron jobs are interrupted. In syslog, after the last successful CRON call of my job (at May 21 21:58:01), I see one hour of "CRON[4428]: User not known to the underlying authentication module", and after that my cron jobs never appears in the log anymore. That's about 36 hours ago. Yesterday I've been working using this account on this machine for the whole day, so there's no authentication problem anymore. It seems cron just never resumed from the failure. Have to run "sudo /etc/init.d/cron restart". BTW, the account is a NIS one. The...

Max Wang: Edit HTML in Google Docs

wangwj — Thu, 22 May 2008 12:29:24 PDT

Just tried "Edit HTML..." of Google Docs. Ouch! I haven't seen this fat ugly HTML for a long time ever since I saved as HTML in Word 97 ten years ago.

Max Wang: hg clone on NFS

wangwj — Wed, 21 May 2008 16:37:12 PDT

"hg clone" is very very fast if the target volume is a local disk. If it's on NFS, even if it's on a very very fast LAN, the speed degrades to less than 1/10. I guess it's because hg does huge amount of tiny writes.

Max Wang: JSR 277 on modularity: JAM Hell?

wangwj — Mon, 19 May 2008 16:56:39 PDT

I'm not an optimist, so when I read the JavaOne TS-6185 paper on JSR 277 and see the line "No more JAR hell", I simply ask myself: Will there be JAM hell? Soon? Real computer scientists out there, please prove that either "DLL Hell" or "Assembly Hell" or "JAR Hell" is simply inevitable, every solution that claims to solve them is simply trying to hide the problem. I'm not a CS major, so please correct me if I'm wrong.

Max Wang: Nice IE

wangwj — Mon, 19 May 2008 00:25:18 PDT

For the first time, I'm appreciating IE, for its adding of filter:gray CSS property. Thank you.

Max Wang: Direct Internet Access in Office

wangwj — Mon, 19 May 2008 00:21:56 PDT

Last Saturday, I found unable to SSH into my Linux box in the office, turns out we had a network upgrade at the weekend, and the NIS server's IP address got changed. I had placed static IP into /etc/yp.conf, therefore, a failure. Fix the error this morning and it connects again. Another change is now that DIA (Direct Internet Access) is enabled. Solaris can ping external hosts directly. For Linux, update the hosts line in /etc/nsswitch.conf into hosts: nis files dns mdns.

Max Wang: Silence

wangwj — Sun, 18 May 2008 16:26:24 PDT

Two minutes later, 14:28 Chinese time, exactly seven days after the earthquake in Wenchuan, there will be a three minutes slience all over China. Stand up!

Max Wang: Wireshark Brings Down the Network?

wangwj — Mon, 12 May 2008 20:00:07 PDT

I'm writing some network related codes now and would like to use Wireshark to see what's going on. It's strange that anytime I start wireshark (using "sudo wireshark" to see the NICs) and press the capture button, the wireless network is brought down. The wireless menu icon goes gray, and when I try to reconnect, it reports a failure. However, I can turn AirPort Off and turn it on again to connect to the network again, and Wireshark works fine. No idea why. I'm using Mac OS X 10.4.11 and Wireshark 0.99.7 with libpcap 0.9.4.

Max Wang: I Love This OpenSolaris

wangwj — Mon, 12 May 2008 18:40:13 PDT

Yesterday evening I spend some time playing with the newly released OpenSolaris 2008.05 CD-ROM, and it's just so amazing! I don't have a PC at home (not exactly, read the end of this post), so I try it out on my wife's ThinkPad notebook (she would not allow me to install a new OS there). Everything works so fine, although I don't like the continuous humming from the CD-ROM drive. I feel satisfied at these points especially: Nice network support. It automatically find the wireless card, detect the access points, and ask me to choose one. After I choose one, and enter the password, it...

Max Wang: IP addresses with VPN, and "kinit -xa"

wangwj — Wed, 07 May 2008 16:25:19 PDT

I'm working from home now, connecting to the office network thru VPN. Running 'ifconfig -a' does not show the IP address for the VPN, although I can find it by using "who" in a SSH session into a office machine or simply look at the Shimo statistics pane. But here comes a problem, Java's Kerberos uses the following method to fill addresses into the AS-REQ message when requesting the initial TGT from a KDC (which is in the office): InetAddress.getAllByName(InetAddress.getLocalHost().getHostName()) and it cannot find the VPN IP. So if I use this TGT to request for a service ticket, an...

Max Wang: Get Off the Stage! You Kindle Idiot.

wangwj — Tue, 06 May 2008 12:19:08 PDT

I'm watching the replay of the first JavaOne General Session, and see this Kindle guy joining Rich Green on the stage, taking out his black and white book reader, demonstrating how stupidly easy it is to buy books online. After showing several Java books, quite carelessly, or at least it seems so, he shows another book, with the sketch of this man, of whom he speaks out the name on the stage: Dalai Lama. OK, so this guy hijacks a technical conference for 2 seconds because of his political bias and passionate love for a monk. He must be quite proud of living in a modern world and knows...

Max Wang: VirtualBox 1.6's Network Problem

wangwj — Mon, 05 May 2008 12:47:45 PDT

Just upgrade to 1.6, all guests started but cannot talk to each other. They were connected into a shared "Internal Network" but now seems torn apart. XP cannot get a DHCP IP address from KDC. Even it's configured a static address, it cannot ping KDC. I'll try to create another Internal Network and put them into this new one, hope this can solve the problem. Update (2:18pm): Does not work. I finally reinstall version 1.56 and now they are running. I am a little suspect about what the issue really is. Because even after I install 1.56, the IP addresses go wrong once too. Anyway, for 1.56,...

Brad Wetmore: I Have Met "The Man," and The Tail Will Not Be Pretty.

Brad Wetmore — Wed, 05 Mar 2008 06:53:40 PST

I love "dives." You know those places that you look at from the outside, and say..."hmm..." But with lines out the door, you know they must be doing something right. Once you get inside, you know there's something special going on in the kitchen. My wife has always accused me of taking her to only the "finest" establishments, but this one almost killed her. A little backstory: As my little brother was graduating from college, he was seduced by the Dark Side and moved to Redmond Washington to work for the large unnamed software company based...

Brad Wetmore: Leave me alone, I'm on vacation!

Brad Wetmore — Thu, 14 Feb 2008 09:02:14 PST

I've got no qualms about giving my all when I'm working. I've done the long days, the long nights, the long weekends. But when I officially pull the plug and go on vacation, I expect to be able to leave Sun behind, and enjoy some well-deserved time off without any reminders of what I do the rest of the year. I don't think that's too much to ask. But have you ever tried to unplug yourself completely when you work for a "network" company like Sun? I first noticed it on a trip to Nepal. I had just finished a rather stressful project, and was glad to be...

Brad Wetmore: "You're a...Gatekeeper? Uh huh. What's a Gatekeeper?"

Brad Wetmore — Mon, 11 Feb 2008 07:12:41 PST

(You might want to read Kelly O'Hair's "OpenJDK Mercurial Wheel" blog entry before reading this.) Besides my normal job as a developer in the Java Security and Networking (JSN) and the Java Tools/Libraries (TL) groups, I have been tasked from time to time as the "Gatekeeper" (also known as an "Integrator") for the JSN group. Some of you have asked on the IRC channel #openjdk, "What's a Gatekeeper?" Good question. Ask any of the N gatekeepers, and you'll get N different answers. Since I'm a musician by night, I had to distill it down to a song that's been running...

Brad Wetmore: Nice Overview for Getting Started with OpenJDK

Brad Wetmore — Mon, 11 Feb 2008 07:08:35 PST

Lars Westergren posted an article in his blog about what the OpenJDK project is and how it works. I found it to be a great overview, as he did a nice job on culling information from various sources and presenting it in a very coherent manner.

Chris Hegarty: California Superbike School - Mondello

chegar — Fri, 07 Sep 2007 02:00:40 PDT

Here are some pics of the California Superbike School I took part in at Mondello race track.

Xuelei Fan: Fine granularity diagnosis on security

XueLei.Fan — Thu, 09 Nov 2006 23:38:12 PST

You're supposed to familiar with the java.security.debug property, otherwise please refer to the sample chapter of "Java Security". Before Java 6, if the security debug property, java.security.debug, is enabled, a large volume of debug output will be dumped. For example, if java.security.debug deinfed as access:stack, every stack will be dumped if a permission is checked on. Even for a simple application, the output normally runs over several pages. In server products, such as Sun Web Server and App Server, the amount of output is overwhelming, analysis them manually is a...

Xuelei Fan: keystore alias -- case sensitive or not

XueLei.Fan — Sun, 12 Mar 2006 22:50:51 PST

A KeyStore manages different types of entries, including cryptographic keys and certificates. Each entry in a keystore is identified by an "alias" string. Before Java SE 6, the java spec didn't declare whether the alias should be case sesitive or not. As result in different implementation, as I known, Bouncy Castle Crypto package treats the keystore alias as case-sensitive data, while Sun and IBM providers regard it as case-insensitive for "JKS/JCEKS/PKCS12" keystore. However, with the support of PKCS11 key store, because of the PKCS#11 specification, the keystore alias is case sensitive for...

Chris Hegarty: HTTP Keep-Alive improvements.

chegar — Tue, 14 Feb 2006 23:01:02 PST

HttpURLConnection, as a HTTP 1.1 client has an in built keep-alive implementation to handle persistent connections. This has been around in previous releases, but mustang beta brings one significant improvement to this. The ability to reuse connections where not all of the response body has been read. This issue was at one time in the top 10 of the top 25 Bugs , with 117 votes against it. We have implemented an asynchronous cleanup of unread response body from the underlying socket. So if the InputStream is closed before all of the response body is read, its underlying TCP connection is put...

Chris Hegarty: Diagnosing DeleteOnExit Issues.

chegar — Mon, 06 Feb 2006 00:04:17 PST

Based on a peabody contribution by Matthias File.deleteOnExit was re-implemented in mustang b63 and now uses java level shutdown hooks. Previously there was a native implementation that registered filenames to be deleted at exit in a native linked list type structure and which was called during the vm exit to do the cleanup. Diagnosing issues where excessive use of deleteOnExit was causing OutOfMemoryErrors was very difficult as the list was held in native heap. The re-implementation of deleteOnExit using java level shutdown hooks has several benefits: A file name is only added once to the...