tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 62794] New: Tomcat request-read fails when using TLSv1.3 with APR connector
Date Tue, 02 Oct 2018 14:39:33 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=62794

            Bug ID: 62794
           Summary: Tomcat request-read fails when using TLSv1.3 with APR
                    connector
           Product: Tomcat 9
           Version: unspecified
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: chris@christopherschultz.net
  Target Milestone: -----

When TLSv1.3 is enabled with the APR connector, Tomcat fails with an
IOException after the TLS handshake completed but before a request is
processed.

STR:

0. Use OpenSSL 1.1.1

1. Patch Tomcat and tcnative to support OpenSSL TLSv1.3. Please see bug #62748
for the requisite patches. Note that both Tomcat and tcnative need patches.

2. Configure Tomcat trunk with a connector:

    <Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig protocols="TLSv1.2+TLSv1.3">
            <Certificate certificateKeyFile="conf/localhost.key"
                         certificateFile="conf/localhost.crt"
certificateKeyPassword="[...]"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

3. Start Tomcat

4. Attempt to make a connection:

    $ openssl s_client -tls1_3 -connect [host]:8443
    [handshake succeeds]
    GET /[CRLF]

Result: connection is closed, Tomcat throws an exception:

02-Oct-2018 10:32:10.734 FINE [https-openssl-apr-8443-exec-6]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header
 java.io.IOException: Unexpected error [53] reading data from the APR/native
socket [140,449,444,320,416] with wrapper
[org.apache.tomcat.util.net.AprEndpoin
t$AprSocketWrapper@3159d159:140449444320416].
        at
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer(AprEndpoint.java:2533)
        at
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer(AprEndpoint.java:2453)
        at
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.read(AprEndpoint.java:2436)
        at
org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:729)
        at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:352)
        at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
        at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770)
        at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2338)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135)
        at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:844)


Expected: successful HTTP request/response

Running the same s_client command with the -tls1_2 switch works as expected.


There is a report in bug #62748 indicating that Google Chrome fails in a
similar way and so does Tomcat.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message