This content has been marked as final. Show 10 replies
I have just encountered the same problem. Took some time to find out why the SSL connection times out during the handshake.
The question would be "How do I make the Sun JSSE implementation not do those forward and reverse name lookups?"
I don't know whether other SSL implementations have the same behaviour or are more configurable. Still, worth a look I guess.
I have customers hitting this exact same issue. They are unwilling to put the host names within DNS or host files due to security constraints/policies. Unless there is a way to suppress the reverse lookups, I'll have to just wait for the timeout. I'll need to explain to them that it's a Sun problem that is not avoidable.
Since these are fortune 500 customers (current/potential Sun customers) and I really like Sun, it would be desirable to avoid this situation.
Could someone from Sun please respond?
as far as I know, there is no security reason for doing the reverse lookup.
I believe the reverse lookup is performed deep in the Java SecurityManager, not JSSE.
I do not have a SecurityManager installed.
sorry, deep in the Sockets code.
Apart from whatever reason obtains there, the security reason for performing a reverse DNS lookup in SSL forms part of hostname verification.
ejp wrote:Seems wrong to me. DNS lookups, reverse or otherwise, have no role in either TLS/SSL or HTTP over TLS, according to the RFCs. Furthermore, even if the reverse DNS lookup results in a different hostname, if the rfc2818 hostname checking is performed correctly the connection is secure. The reverse lookup is just another vector for DoS attacks since DNS itself is not secure.
...the security reason for performing a reverse DNS lookup in SSL forms part of hostname verification.
I found a different site that appears to have an answer for this, although I have not yet tried it:
Does that help?
I created a solution to this a while ago, please forgive me for not posting sooner.
I posted a comment on [this bug report|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4939977] to explain how to get around Java causing reverse DNS lookup on SSL connections. Note that my solution might have side effects, so use with care...
Here's the stack trace of at least one instance where Sun is doing a reverse lookup:
at java.net.Inet4AddressImpl.getHostByAddr(Native Method)