cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fred Dushin (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-1222) Some TLS ciphersuite configurations result in 100% CPU utilization
Date Tue, 20 Nov 2007 19:32:43 GMT
Some TLS ciphersuite configurations result in 100% CPU utilization
------------------------------------------------------------------

                 Key: CXF-1222
                 URL: https://issues.apache.org/jira/browse/CXF-1222
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 2.0.3
            Reporter: Fred Dushin
             Fix For: 2.0.4


By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,

{{{
                <csec:cipherSuitesFilter>
                    <!-- <csec:include>.*</csec:include> -->
                    <csec:exclude>.*_DH_anon_.*</csec:exclude>
                </csec:cipherSuitesFilter>
}}}

a CXF server will spin its wheels in com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:

{{{
     [java] "btpool0-0 - Acceptor0 CXFJettySslSocketConnector@0.0.0.0:9001" prio=5 tid=0x00537320
nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
     [java]     at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
     [java]     at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
     [java]     at com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
     [java]     at com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
     [java]     at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
     [java]     at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
     [java]     at com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
     [java]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
     [java]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
     [java]     at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
     [java]     - locked <0x26dbc988> (a com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
     [java]     at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
     [java]     at org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
     [java]     at org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
     [java]     at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

}}}

{{{
  PID COMMAND      %CPU   TIME   #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE
 8463 top         15.4%  0:02.89   1    18    20   640K   380K  1.10M  27.0M 
 8462 java       103.0%  1:12.61  12   886   521  60.4M- 82.0M  76.6M-  327M-
}}}

This appears to be due to the way in which we initialize cipher suites in the CxfJettySslSocketConnector,
and we should revisit this to defend against this sort of thing from happening.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message