About SSL communication in Azure AppService

矢島 あや子 SSOL 0 Reputation points
2023-06-19T08:14:44.9966667+00:00

It takes a long time to run a java application that performs SSL (TLS) communication on Azure AppService.

For example, when executing the following sample code (java), sslContext.init() takes about 8 seconds.

<Execution environment (App Service)>

Windows Server 2016 10.0 (amd64)

Microsoft 11.0.12+7, OpenJDK 64-Bit Server VM (mixed

<Sample code>

SSLContext sslContext = SSLContext.getInstance("TLSv1.3");

sslContext.init(null, null, null);

When the above sample code is executed on a local PC, it takes only about 200ms.

This issue only reproduces when running on Azure App Service.

Do you know why it takes so long?

Also, is there a workaround?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,178 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 27,956 Reputation points Microsoft Employee
    2023-06-20T20:33:01.59+00:00

    Based on my understanding of the issue from your description, and that you mentioned it is reproduced only on App Service ( locally it takes 200ms).

    The issue you are experiencing may be due to the fact that the SSLContext is being initialized with null parameters. According to the Java docs, the SSLContext.init() method initializes this context. If the key manager, trust manager, or secure random parameters are null, then the installed security providers will be searched for the highest-priority implementation of the appropriate factory. This search is done in the order returned by Security.getProviders(). This may be causing the delay you are experiencing.

    To isolate the issue/As for a workaround, you may try manually loading the key store. You can load certificates manually to the key store. Create an app setting, SKIP_JAVA_KEYSTORE_LOAD, with a value of 1 to disable App Service from loading the certificates into the key store automatically.

    All public certificates uploaded to App Service via the Azure portal are stored under /var/ssl/certs/. Private certificates are stored under /var/ssl/private/. You may interact or debug the Java Key Tool by opening an SSH connection to your App Service and running the command keytool.

    Reference: Doc section Configure a Java app for Azure App Service | Manually load the key store

    Kindly let us know how it goes, I'll follow-up with you further.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.