tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat 9 Nio2+OpenSSL problem (very likely a bug)
Date Wed, 13 Mar 2019 21:21:08 GMT
On 13/03/2019 20:30, Igor T wrote:
> Prerequisites:
> OS: Windows Server 2012 R2
> Java: checked on both jdk1.8.0_162 jdk1.8.0_181
> Tomcat: windows x64 builds checked on 9.0.12, 9.0.16, 9.0.17-dev

9.0.17-dev at which point in time?

Have you tested the current 9.0.17 release candidate (see dev@ for details)

Mark



> Valid SSL certificates
> Content of file located at webapp/ROOT/1.txt: []
> Tomcat's connector settings:
>         <Connector port="443"
>                         protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> 
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
>                         connectionTimeout="5000"
>                         SSLEnabled="true"
>                         scheme="https"
>                         secure="true"
>         >
> 
> This configuration leads to 50% of the traffic to be rejected with
> Connection resets. First socket connects and receives the service, but
> every second is resetted.
> 
> Exactly this combination leads to connection resets:
>         protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>         sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
> 
> Configurations that work well without connection resets:
>         protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>         sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> or
>         protocol="org.apache.coyote.http11.Http11NioProtocol"
>         sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
> 
> Java code to reproduce the connection resets (works well with any
> other secure server):
> (there is no resets if a variable named FIX__gotoSleepAfterHandshake = true)
> 
> public class CheckConnectionResets{
>     static String host = "your-test-host";
> 
>     public static void main( String[] args ) throws
> InterruptedException, IOException{
> 
>         SSLSocketFactory factory =
> (SSLSocketFactory)SSLSocketFactory.getDefault();
>         int nRuns = 4;
>         int success = 0;
>         int denial = 0;
> 
>         boolean FIX__gotoSleepAfterHandshake = false;
> 
>         for( int i = 0; i < nRuns; i++ ){
>             try ( SSLSocket socket = (SSLSocket)factory.createSocket(
> host, 443 ) ){
> 
>                 if( FIX__gotoSleepAfterHandshake ){
>                     socket.startHandshake();
>                     Thread.sleep( 500 );
>                 }
>                 try ( PrintWriter out = new PrintWriter( new
> BufferedWriter( new OutputStreamWriter( socket.getOutputStream() ) )
> );
>                         InputStream is = socket.getInputStream(); ){
> 
>                     out.println( "GET /1.txt HTTP/1.1" );
>                     out.println( "Host: " + host );
>                     out.println( "Accept: */*" );
>                     out.println();
>                     out.flush();
> 
>                     if( out.checkError() ){
>                         System.out.println( "SSLSocketClient:
> java.io.PrintWriter error" );
>                     }
> 
>                     Instant start = Instant.now();
>                     /* read full response */
>                     byte[] buff = new byte[ 1024 ];
>                     int read = is.read( buff );
>                     success++;
>                     System.out.println( "success: " + success + ",
> read " + read + " bytes for: " + start.until( Instant.now(),
> ChronoUnit.MILLIS ) + "ms" );
> 
>                 } catch ( IOException e ) {
>                     denial++;
>                     System.err.println( "denial: " + denial + ", " +
> e.getMessage() );
> }}}}}
> 
> Sample output:
> success: 1, read 73 bytes for: 78ms
> denial: 1, Connection reset
> success: 2, read 73 bytes for: 78ms
> denial: 2, Connection reset
> 
> The bug is stable, and always reproducible.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message