JANUS SSLSTAT or SSLSTATUS
Display SSL activity
JANUS SSLSTAT and JANUS SSLSTATUS are simply two ways of issuing the same command. The JANUS SSLSTAT or SSLSTATUS command provides a detailed display of the SSL activity for each combination of Janus port and network security protocol. "SSL activity" refers to Janus Network Security encrypted communications on a Janus port whose definition includes an SSL parameter specification. Janus Network Security supports the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
Syntax
JANUS SSLSTATUS portname
Where portname is the name of the port(s) to display. portname defaults to an asterisk (*) to display the SSL activity on all ports.
For example, the following sample command, which displays the encrypted connection activity on all defined ports, is followed by its output:
JANUS SSLSTATUS *
Name Port Type Stat Prot Connects SesNew SesNF SesTO Errs JANWEBS 443 WEBSERV Start SSLV2 1 1 0 0 0 JANWEBS 443 WEBSERV Start 3/TLS 308 180 0 0 30 UKWEBS 443 WEBSERV Stop SSLV2 0 0 0 0 0 UKWEBS 443 WEBSERV Stop 3/TLS 0 0 0 0 0 CLUBWEBS 443 WEBSERV Stop SSLV2 0 0 0 0 0 CLUBWEBS 443 WEBSERV Stop 3/TLS 0 0 0 0 0 MKIWEBS 443 WEBSERV Stop SSLV2 0 0 0 0 0 MKIWEBS 443 WEBSERV Stop 3/TLS 0 0 0 0 0 HOCKEYS 443 WEBSERV Start SSLV2 1 1 0 0 0 HOCKEYS 443 WEBSERV Start 3/TLS 9 9 0 0 0 XTENDS 7879 WEBSERV Start SSLV2 0 0 0 0 0 XTENDS 7879 WEBSERV Start 3/TLS 0 0 0 0 0
Command output
JANUS SSLSTATUS provides the following columns of information:
| Name | Name defined to the TCP/IP port. |
|---|---|
| Port | TCP/IP port number. |
| Type | IFDIAL, SDS, OAS, OMNI, OPENSERV, WEBSERV, CLSOCK, or SRVSOCK. |
| Stat | Status of the connection (started, stopped, forcing, or draining). |
| Prot | The security protocol to which the line applies.
One line is displayed for each port for each protocol. Currently, the supported protocols are SSL version 2 (V2), SSL V3, and TLS V1. |
| Connects | Number of TCP/IP connections made to the port.
For a WEBSERV port, this corresponds to the number of "hits" or pages requested from the server. |
| SesNew | Number of new SSL/TLS sessions created for the port.
SesNew is always less than Connects, because the worst case is that each new connection requires a new session. A new session requires the exchange of a "master-secret" using computationally expensive public-key/private-key encryption/decryption. Because of the cost of this exchange, most SSL/TLS implementations try to re-use a master-secret from a previous connection. All connections that use the same master-secret are part of an SSL/TLS session. Ideally, SesNew would be significantly less than Connects. |
| SesNF | The number of times a browser tried to continue an SSL/TLS session but Janus was unable to locate the session information in its session cache.
This not-found situation is only likely to happen if the session information was displaced from the session cache by other sessions. If SesNF is a large value, it might be worth increasing the size of the SSL session cache with the SSLCACHE on the JANUS DEFINE command. While from a client's perspective, a session-not-found situation can also occur if the port (or possibly the Online) serving the connection was cycled since the last connection by the client, this is not counted as part of SesNF. |
| SesTO | The number of times a browser tried to continue an SSL/TLS session but Janus decided that the session information in its session cache had expired.
These timeouts are only likely to happen if the default SSL session life-spans are overridden with the SSLMAXAGE parameter on the JANUS DEFINE command. If SSLMAXAGE is not defined, both Janus and the other side of an encrypted connection are likely to be using the same default life-spans for secure sessions: 2 minutes for SSL V2, and 24 hours for SSL V3 and TLS. If both client and server have identical values for the maximum SSL/TLS session life-span, there is a slight chance that a client will decide that a secure session is still valid (by say one millisecond), but the delay between this and the time the server receives the request is long enough for the server to decide the session is expired. Even so, an expired session simply forces the client and server to start a new session by exchanging a new "master-secret" using public-key/private-key encryption/decryption. Otherwise, processing continues as usual over the connection. |
| Errs | The number of security protocol errors.
By far, the most common cause of these protocol errors is an attempt to connect to a secured port using something other than SSL or TLS: either unencrypted data or an unsupported protocol. |