JANUS SSLSTAT or SSLSTATUS

From m204wiki
Revision as of 18:34, 16 April 2013 by JAL (talk | contribs) (→‎Output)
Jump to navigation Jump to search

SSLSTAT or SSLSTATUS

JANUS SSLSTAT and JANUS SSLSTATUS are simply two ways of issuing the same command. The JANUS SSLSTAT or SSLSTATUS command provides a detailed display of the SSL activity for each combination of Janus port and network security protocol. "SSL activity" refers to Janus Network Security encrypted communications on a Janus port whose definition includes an SSL parameter specification. Janus Network Security supports the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.

Syntax

JANUS SSLSTATUS portname

Where portname is the name of the port(s) to display. portname defaults to an asterisk (*) to display the SSL activity on all ports.

For example, the following command would display the encrypted connection activity on all defined ports:

JANUS SSLSTATUS *

Output

JANUS SSLSTATUS provides the following information:

Name Name defined to the TCP/IP port.
Port TCP/IP port number.
Type IFDIAL, SDS, OAS, OMNI, OPENSERV, WEBSERV, CLSOCK, or SRVSOCK.
Stat Status of the connection (started, stopped, forcing, or draining).
Prot The security protocol to which the line applies.

One line is displayed for each port for each protocol. Currently, the supported protocols are SSL version 2 (V2), SSL V3, and TLS V1.

Connects Number of TCP/IP connections made to the port.

For a WEBSERV port, this corresponds to the number of "hits" or pages requested from the server.

SesNew Number of new SSL/TLS sessions created for the port.

SesNew is always less than Connects, because the worst case is that each new connection requires a new session. A new session requires the exchange of a "master-secret" using computationally expensive public-key/private-key encryption/decryption. Because of the cost of this exchange, most SSL/TLS implementations try to re-use a master-secret from a previous connection. All connections that use the same master-secret are part of an SSL/TLS session. Ideally, SesNew would be significantly less than Connects.

SesNF The number of times a browser tried to continue an SSL/TLS session but Janus was unable to locate the session information in its session cache.

This not-found situation is only likely to happen if the session information was displaced from the session cache by other sessions. If SesNF is a large value, it might be worth increasing the size of the SSL session cache with the SSLCACHE on the JANUS DEFINE command. While from a client's perspective, a session-not-found situation can also occur if the port (or possibly the Online) serving the connection was cycled since the last connection by the client, this is not counted as part of SesNF.

SesTO The number of times a browser tried to continue an SSL/TLS session but Janus decided that the session information in its session cache had expired.

These timeouts are only likely to happen if the default SSL session life-spans are overridden with the SSLMAXAGE parameter () on the JANUS DEFINE command. If SSLMAXAGE is not defined, both Janus and the other side of an encrypted connection are likely to be using the same default life-spans for secure sessions: 2 minutes for SSL V2, and 24 hours for SSL V3 and TLS.

If both client and server have identical values for the maximum SSL/TLS session life-span, there is a slight chance that a client will decide that a secure session is still valid (by say one millisecond), but the delay between this and the time the server receives the request is long enough for the server to decide the session is expired. Even so, an expired session simply forces the client and server to start a new session by exchanging a new "master-secret" using public-key/private-key encryption/decryption. Otherwise, processing continues as usual over the connection.

Errs The number of security protocol errors.

By far, the most common cause of these protocol errors is an attempt to connect to a secured port using something other than SSL or TLS: either unencrypted data or an unsupported protocol.