tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugh H <xuhu_...@outlook.com>
Subject Re: slow or timeout with client certificate and some http client against tomcat 8.5 with Nio2 OpenSSL implementation
Date Wed, 02 May 2018 03:19:23 GMT
Hi Mark,

Here are the logs you requested

client:
https://1drv.ms/t/s!Aii8T4l0bnqVlyAuRIjSuluBe8vy

server:
https://1drv.ms/u/s!Aii8T4l0bnqVlx-TGo6I0dMXZxG1


I checked the system clock right before my testing and the server and the client are synchronized.

Thanks,
Hugh

On May 1, 2018, at 9:31 AM, Mark Thomas <markt@apache.org<mailto:markt@apache.org>>
wrote:

On 01/05/18 03:11, 旭东 胡 wrote:
Hi Mark,

Unfortunately,  8.5.31 does not resolve my issue. You can find the catalina.out log by https://1drv.ms/u/s!Aii8T4l0bnqVlx0mqtHngJ_1OvRo.
From my client log the timeout occurs:
1. between 15:03:48 and 15:04:48
2. between 15:04:48 and 15:05:48
3. between 15:05:49 and 15:06:49
4. between 15:06:59 and 15:07:49
5. between 15:07:59 and 15:08:49
6. between 15:08:59 and 15:09:49

The problematic port is 11443. Sorry there is a health checking, which I cannot turned off,
on port 10443 adding a lot noise.

OK.

First of all, please ensure that the time on the client and server are
synchronized. Give that the server log doesn't show the server starting
until 15:04:00 the client and server look to be ~25 seconds out of sync.

What I see in most of the connections is the TLS handshake completing
and the I/O layer passing the socket to the protocol layer for
processing. The socket is returned from the protocol layer with an
instruction to close the socket.

We need to see what is happening in the protocol layer. Please add the
following to logging.properties, restart Tomcat 8.5.31 and repeat your test:
org.apache.coyote.level=FINE

Please also include the client logs this time.

Thanks,

Mark



Thanks,
Hugh

On Apr 30, 2018, at 5:08 AM, Mark Thomas <markt@apache.org<mailto:markt@apache.org>>
wrote:

On 30/04/18 01:48, ** * wrote:
Hi,

I met a weird issue during setting up tomcat 8.5 with Http11Nio2Protocol connector and OpenSSLImplementation.
The issue is that a request would be timeout using apache HttpClient and client certificate
after serval previous requests. It also happens with RestAssured and SoapUI. Please note it
works fine for first several requests and then failed with timeout.

However, this issue is not observed when JMeter, tried both JAVA and non-JAVA implementation,
and insomnia REST client being used. I used a static page to rule out application factors.
Also Http11NioProtocol works fine for all above clients. The only thing I changed for Http11NioProtocol
is to specify  protocol="org.apache.coyote.http11.Http11NioProtocol” instead of protocol="org.apache.coyote.http11.Http11Nio2Protocol”.
Also, I have another  connector configured not checking client certificate. This one also
works fine regardless of Http11NioProtocol or Http11Nio2Protocol being used.

Would you please help to identify if I have anything wrong in my configuration?  I tried to
set the log level to fine. But I did not find anything useful. Please help.

8.5.31 fixes an error in this area that might be relevant. The release
vote for 8.5.31 is currently in progress. Details on the dev@ list. If
you could download the 8.5.31 release candidate and test against that,
that would be helpful.

If that doesn't work then we'll need the following (again with 8.5.31 so
we are testing the latest code):

Enable debug logging for the I/O layer:
org.apache.tomcat.util.net.level=FINE

Enable TLS debug logging for the client:
-Djavax.net.debug=all

Recreate the problem.

Provide us with:
- the logs for the 30s before the error and 5s after it
- the point in the logs where the error occurred

Thanks,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<mailto:users-help@tomcat.apache.org>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<mailto:users-help@tomcat.apache.org>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<mailto:users-unsubscribe@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<mailto:users-help@tomcat.apache.org>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message