tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: slow or timeout with client certificate and some http client against tomcat 8.5 with Nio2 OpenSSL implementation
Date Tue, 01 May 2018 13:31:44 GMT
On 01/05/18 03:11, 旭东 胡 wrote:
> Hi Mark,
> Unfortunately,  8.5.31 does not resolve my issue. You can find the catalina.out log by!Aii8T4l0bnqVlx0mqtHngJ_1OvRo. 
> From my client log the timeout occurs:
> 1. between 15:03:48 and 15:04:48
> 2. between 15:04:48 and 15:05:48
> 3. between 15:05:49 and 15:06:49
> 4. between 15:06:59 and 15:07:49
> 5. between 15:07:59 and 15:08:49
> 6. between 15:08:59 and 15:09:49
> The problematic port is 11443. Sorry there is a health checking, which I cannot turned
off, on port 10443 adding a lot noise.


First of all, please ensure that the time on the client and server are
synchronized. Give that the server log doesn't show the server starting
until 15:04:00 the client and server look to be ~25 seconds out of sync.

What I see in most of the connections is the TLS handshake completing
and the I/O layer passing the socket to the protocol layer for
processing. The socket is returned from the protocol layer with an
instruction to close the socket.

We need to see what is happening in the protocol layer. Please add the
following to, restart Tomcat 8.5.31 and repeat your test:

Please also include the client logs this time.



> Thanks,
> Hugh
>> On Apr 30, 2018, at 5:08 AM, Mark Thomas <> wrote:
>> On 30/04/18 01:48, ** * wrote:
>>> Hi,
>>> I met a weird issue during setting up tomcat 8.5 with Http11Nio2Protocol connector
and OpenSSLImplementation. The issue is that a request would be timeout using apache HttpClient
and client certificate after serval previous requests. It also happens with RestAssured and
SoapUI. Please note it works fine for first several requests and then failed with timeout.
>>> However, this issue is not observed when JMeter, tried both JAVA and non-JAVA
implementation, and insomnia REST client being used. I used a static page to rule out application
factors. Also Http11NioProtocol works fine for all above clients. The only thing I changed
for Http11NioProtocol is to specify  protocol="org.apache.coyote.http11.Http11NioProtocol”
instead of  protocol="org.apache.coyote.http11.Http11Nio2Protocol”. Also, I have another
 connector configured not checking client certificate. This one also works fine regardless
of Http11NioProtocol or Http11Nio2Protocol being used.
>>> Would you please help to identify if I have anything wrong in my configuration?
 I tried to set the log level to fine. But I did not find anything useful. Please help.
>> 8.5.31 fixes an error in this area that might be relevant. The release
>> vote for 8.5.31 is currently in progress. Details on the dev@ list. If
>> you could download the 8.5.31 release candidate and test against that,
>> that would be helpful.
>> If that doesn't work then we'll need the following (again with 8.5.31 so
>> we are testing the latest code):
>> Enable debug logging for the I/O layer:
>> Enable TLS debug logging for the client:
>> Recreate the problem.
>> Provide us with:
>> - the logs for the 30s before the error and 5s after it
>> - the point in the logs where the error occurred
>> Thanks,
>> Mark
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message