[Bug 58741] New: Large number of public certificates in keystore causes handshake timeout with Http11Nio2Protocol

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58741

            Bug ID: 58741
           Summary: Large number of public certificates in keystore causes
                    handshake timeout with Http11Nio2Protocol
           Product: Tomcat 8
           Version: 8.0.24
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: sis...@workforcesoftware.com

SSL Handshake seems to be timing out with Http11Nio2Protocol and large number
of entries in the keystore.

I have a connector definition as something like below in server.xml.

    <Connector port="10443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxHttpHeaderSize="4096"
           maxThreads="1050" minSpareThreads="25"
           maxKeepAliveRequests="-1" keepAliveTimeout="180000"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
           clientAuth="want" sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.2,TLSv1"
           connectionTimeout="180000"
           keystoreFile="workforce.keystore"
           keystorePass="xxx" algorithm="SunX509"
           truststoreFile="workforce.keystore"
           truststorePass="xxx"
           truststoreType="JKS"
           keyAlias="tomcat"
           compression="on"
           compressionMinSize="2048"
         
trustManagerClassName="com.workforcesoftware.tomcatssl.WorkforceTrustManager"
           useServerCipherSuitesOrder="true"
           ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA"
           compressableMimeType="text/html,text/xml,text/js,text/css"/>

Steps to reproduce,

1) Define a connector with something like above.
2) Use a large keystore file. I have a large keystore with one private key with
alias tomcat (as defined in keyAlias) and large number of public certificates
that I trust (> 1400). Sample keystore file is attached.
3) Start/Restart the tomcat.
4) Try to access the application/tomcat using the specified connector from the
browser.
5) SSL handshake seems to be timing out. SSL/Handshake debug log is attached.

When I change the protocol from Http11Nio2Protocol to Http11NioProtocol, SSL
handshake seems to be working fine. Besides this, I have also tried separating
out keystore (with only tomcat entry) and trust store (with all public
certificates), but with that configuration, the handshake still seems to be
timing out.

Thanks

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org