tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 旭东 胡 <>
Subject Re: slow or timeout with client certificate and some http client against tomcat 8.5 with Nio2 OpenSSL implementation
Date Tue, 01 May 2018 02:11:05 GMT
Hi Mark,

Unfortunately,  8.5.31 does not resolve my issue. You can find the catalina.out log by!Aii8T4l0bnqVlx0mqtHngJ_1OvRo.

From my client log the timeout occurs:
1. between 15:03:48 and 15:04:48
2. between 15:04:48 and 15:05:48
3. between 15:05:49 and 15:06:49
4. between 15:06:59 and 15:07:49
5. between 15:07:59 and 15:08:49
6. between 15:08:59 and 15:09:49

The problematic port is 11443. Sorry there is a health checking, which I cannot turned off,
on port 10443 adding a lot noise.


> On Apr 30, 2018, at 5:08 AM, Mark Thomas <> wrote:
> On 30/04/18 01:48, ** * wrote:
>> Hi,
>> I met a weird issue during setting up tomcat 8.5 with Http11Nio2Protocol connector
and OpenSSLImplementation. The issue is that a request would be timeout using apache HttpClient
and client certificate after serval previous requests. It also happens with RestAssured and
SoapUI. Please note it works fine for first several requests and then failed with timeout.
>> However, this issue is not observed when JMeter, tried both JAVA and non-JAVA implementation,
and insomnia REST client being used. I used a static page to rule out application factors.
Also Http11NioProtocol works fine for all above clients. The only thing I changed for Http11NioProtocol
is to specify  protocol="org.apache.coyote.http11.Http11NioProtocol” instead of  protocol="org.apache.coyote.http11.Http11Nio2Protocol”.
Also, I have another  connector configured not checking client certificate. This one also
works fine regardless of Http11NioProtocol or Http11Nio2Protocol being used.
>> Would you please help to identify if I have anything wrong in my configuration? 
I tried to set the log level to fine. But I did not find anything useful. Please help.
> 8.5.31 fixes an error in this area that might be relevant. The release
> vote for 8.5.31 is currently in progress. Details on the dev@ list. If
> you could download the 8.5.31 release candidate and test against that,
> that would be helpful.
> If that doesn't work then we'll need the following (again with 8.5.31 so
> we are testing the latest code):
> Enable debug logging for the I/O layer:
> Enable TLS debug logging for the client:
> Recreate the problem.
> Provide us with:
> - the logs for the 30s before the error and 5s after it
> - the point in the logs where the error occurred
> Thanks,
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message