https://bz.apache.org/bugzilla/show_bug.cgi?id=62794
Bug ID: 62794 Summary: Tomcat request-read fails when using TLSv1.3 with APR connector Product: Tomcat 9 Version: unspecified Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: ch...@christopherschultz.net Target Milestone: ----- When TLSv1.3 is enabled with the APR connector, Tomcat fails with an IOException after the TLS handshake completed but before a request is processed. STR: 0. Use OpenSSL 1.1.1 1. Patch Tomcat and tcnative to support OpenSSL TLSv1.3. Please see bug #62748 for the requisite patches. Note that both Tomcat and tcnative need patches. 2. Configure Tomcat trunk with a connector: <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig protocols="TLSv1.2+TLSv1.3"> <Certificate certificateKeyFile="conf/localhost.key" certificateFile="conf/localhost.crt" certificateKeyPassword="[...]" type="RSA" /> </SSLHostConfig> </Connector> 3. Start Tomcat 4. Attempt to make a connection: $ openssl s_client -tls1_3 -connect [host]:8443 [handshake succeeds] GET /[CRLF] Result: connection is closed, Tomcat throws an exception: 02-Oct-2018 10:32:10.734 FINE [https-openssl-apr-8443-exec-6] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header java.io.IOException: Unexpected error [53] reading data from the APR/native socket [140,449,444,320,416] with wrapper [org.apache.tomcat.util.net.AprEndpoin t$AprSocketWrapper@3159d159:140449444320416]. at org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer(AprEndpoint.java:2533) at org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer(AprEndpoint.java:2453) at org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.read(AprEndpoint.java:2436) at org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:729) at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:352) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2338) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:844) Expected: successful HTTP request/response Running the same s_client command with the -tls1_2 switch works as expected. There is a report in bug #62748 indicating that Google Chrome fails in a similar way and so does Tomcat. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org