cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fred Dushin (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-1222) Some TLS ciphersuite configurations result in 100% CPU utilization
Date Mon, 17 Dec 2007 10:15:43 GMT

    [ https://issues.apache.org/jira/browse/CXF-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12552363
] 

Fred Dushin commented on CXF-1222:
----------------------------------

Addional information, submitted to cxf-user by jiri.mikulasek [1]:
First configuration:
Server:
 <sec:cipherSuitesFilter>        
        <sec:include>.*WITH_NULL_SHA.*</sec:include>
      </sec:cipherSuitesFilter>
Client:
<sec:cipherSuitesFilter>        
		        <sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
      		</sec:cipherSuitesFilter>

when trying to connect client to server i got in server log:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, 
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 
SSL_RSA_WITH_NULL_MD5, SSL_DH_anon_WITH_RC4_128_MD5, 
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, 
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, 
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, 
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, 
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, 
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
2007-12-17 09:59:15.748::INFO:  Started 
CXFJettySslSocketConnector@0.0.0.0:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
	at com.sun.net.ssl.internal.ssl.InputRecord.<init>(InputRecord.java:65)
	at 
com.sun.net.ssl.internal.ssl.HandshakeInStream.<init>(HandshakeInStream.java:45)
	at 
com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:294)
	at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:139)
	at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:110)
	at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:86)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:980)
	at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:928)
	at 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
	at 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
	at 
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
	at 
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
	at 
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

Second: configuration:
Client same as before
Server:
 <sec:cipherSuitesFilter>        
        <sec:exclude>.*WITH_NULL_SHA.*</sec:exclude>
      </sec:cipherSuitesFilter>

I got the same exception and following CIPHER SUITE on server side:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, 
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, 
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, 
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, 
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, 
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, 
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, 
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
2007-12-17 10:11:46.635::INFO:  Started 
CXFJettySslSocketConnector@0.0.0.0:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space

[1] http://mail-archives.apache.org/mod_mbox/incubator-cxf-user/200712.mbox/%3c200712171018.34302.jiri.mikulasek@aura.cz%3e

> Some TLS ciphersuite configurations result in 100% CPU utilization
> ------------------------------------------------------------------
>
>                 Key: CXF-1222
>                 URL: https://issues.apache.org/jira/browse/CXF-1222
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.0.3
>            Reporter: Fred Dushin
>             Fix For: 2.0.4
>
>
> By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,
> {{{
>                 <csec:cipherSuitesFilter>
>                     <!-- <csec:include>.*</csec:include> -->
>                     <csec:exclude>.*_DH_anon_.*</csec:exclude>
>                 </csec:cipherSuitesFilter>
> }}}
> a CXF server will spin its wheels in com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:
> {{{
>      [java] "btpool0-0 - Acceptor0 CXFJettySslSocketConnector@0.0.0.0:9001" prio=5 tid=0x00537320
nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
>      [java]     at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
>      [java]     at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
>      [java]     at com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
>      [java]     at com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
>      [java]     at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
>      [java]     at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
>      [java]     at com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
>      [java]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
>      [java]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
>      [java]     at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
>      [java]     - locked <0x26dbc988> (a com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
>      [java]     at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
>      [java]     at org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
>      [java]     at org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
>      [java]     at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
> }}}
> {{{
>   PID COMMAND      %CPU   TIME   #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE
>  8463 top         15.4%  0:02.89   1    18    20   640K   380K  1.10M  27.0M 
>  8462 java       103.0%  1:12.61  12   886   521  60.4M- 82.0M  76.6M-  327M-
> }}}
> This appears to be due to the way in which we initialize cipher suites in the CxfJettySslSocketConnector,
and we should revisit this to defend against this sort of thing from happening.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message