tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Tomcat 8.5.23 Initialization PRNG/SSL
Date Fri, 27 Oct 2017 20:56:41 GMT
On 27.10.2017 16:55, George S. wrote:
> I'm seeing some strange ssl errors. They're not reproducible consistently, and I think
> they're because the PRNG is initializing after the Connector. Here's some log output:
>
> 26-Oct-2017 17:04:08.380 INFO [main] org.apache.coyote.AbstractProtocol.start Starting
> ProtocolHandler ["http-nio-8080"]
> 26-Oct-2017 17:04:08.429 INFO [main] org.apache.coyote.AbstractProtocol.start Starting
> ProtocolHandler ["https-jsse-nio-443"]
> 26-Oct-2017 17:04:08.459 INFO [main] org.apache.coyote.AbstractProtocol.start Starting
> ProtocolHandler ["ajp-nio-8009"]
> 26-Oct-2017 17:04:08.492 INFO [main] org.apache.catalina.startup.Catalina.start Server
> startup in 56903 ms
> 26-Oct-2017 17:05:16.364 WARNING [localhost-startStop-1]
> org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of
> SecureRandom instance for session ID generation using [SHA1PRNG] took [118,978] milliseconds.

If that means actually 118 thousand 978 milliseconds (just shy of 2 minutes), that looks 
like a lot.  According to the little I have been able to grab while perusing this list, 
that would indicate some serious difficulty for that host in generating sufficient entropy.
Maybe time to read the FAQ :
https://wiki.apache.org/tomcat/HowTo/FasterStartUp
Item 3.

>
> The exception is:
>
> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
> at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
>
> Has anyone else seen something like this? The app is making an internal SSL connection
to
> another servlet.

That does indeed not seem to make a lot of sense, unless this servlet could possibly be 
running on another server.

I don't know why they didn't use a RequestDispatcher and do .include(),
> but it's not my code.
>
> Anyhow, am I right that the exception is probably related to the connectors coming up
> before the PRNG?
>
Tomcat is starting a Connector ["https-jsse-nio-443"], for which I suppose it also needs 
entropy.  Does the log say when that Connector is actually finished with starting up ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message