[
https://issues.apache.org/jira/browse/CXF-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12552363
]
Fred Dushin commented on CXF-1222:
----------------------------------
Addional information, submitted to cxf-user by jiri.mikulasek [1]:
First configuration:
Server:
<sec:cipherSuitesFilter>
<sec:include>.*WITH_NULL_SHA.*</sec:include>
</sec:cipherSuitesFilter>
Client:
<sec:cipherSuitesFilter>
<sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
</sec:cipherSuitesFilter>
when trying to connect client to server i got in server log:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_DH_anon_WITH_RC4_128_MD5,
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2007-12-17 09:59:15.748::INFO: Started
[EMAIL PROTECTED]:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
at com.sun.net.ssl.internal.ssl.InputRecord.<init>(InputRecord.java:65)
at
com.sun.net.ssl.internal.ssl.HandshakeInStream.<init>(HandshakeInStream.java:45)
at
com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:294)
at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:139)
at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:110)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:86)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:980)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:928)
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
at
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Second: configuration:
Client same as before
Server:
<sec:cipherSuitesFilter>
<sec:exclude>.*WITH_NULL_SHA.*</sec:exclude>
</sec:cipherSuitesFilter>
I got the same exception and following CIPHER SUITE on server side:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5,
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2007-12-17 10:11:46.635::INFO: Started
[EMAIL PROTECTED]:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
[1]
http://mail-archives.apache.org/mod_mbox/incubator-cxf-user/200712.mbox/[EMAIL
PROTECTED]
> Some TLS ciphersuite configurations result in 100% CPU utilization
> ------------------------------------------------------------------
>
> Key: CXF-1222
> URL: https://issues.apache.org/jira/browse/CXF-1222
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.0.3
> Reporter: Fred Dushin
> Fix For: 2.0.4
>
>
> By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,
> {{{
> <csec:cipherSuitesFilter>
> <!-- <csec:include>.*</csec:include> -->
> <csec:exclude>.*_DH_anon_.*</csec:exclude>
> </csec:cipherSuitesFilter>
> }}}
> a CXF server will spin its wheels in
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:
> {{{
> [java] "btpool0-0 - Acceptor0 [EMAIL PROTECTED]:9001" prio=5
> tid=0x00537320 nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
> [java] at
> com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
> [java] at
> com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
> [java] at
> com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
> [java] at
> com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
> [java] at
> com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
> [java] at
> com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
> [java] at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
> [java] at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
> [java] at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
> [java] at
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
> [java] - locked <0x26dbc988> (a
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
> [java] at
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
> [java] at
> org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
> [java] at
> org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
> [java] at
> org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
> }}}
> {{{
> PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE
> 8463 top 15.4% 0:02.89 1 18 20 640K 380K 1.10M 27.0M
> 8462 java 103.0% 1:12.61 12 886 521 60.4M- 82.0M 76.6M- 327M-
> }}}
> This appears to be due to the way in which we initialize cipher suites in the
> CxfJettySslSocketConnector, and we should revisit this to defend against this
> sort of thing from happening.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
