Prerequisites:
OS: Windows Server 2012 R2
Java: checked on both jdk1.8.0_162 jdk1.8.0_181
Tomcat: windows x64 builds checked on 9.0.12, 9.0.16, 9.0.17-dev
Valid SSL certificates
Content of file located at webapp/ROOT/1.txt: []
Tomcat's connector settings:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
connectionTimeout="5000"
SSLEnabled="true"
scheme="https"
secure="true"
>
This configuration leads to 50% of the traffic to be rejected with
Connection resets. First socket connects and receives the service, but
every second is resetted.
Exactly this combination leads to connection resets:
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
Configurations that work well without connection resets:
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
or
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
Java code to reproduce the connection resets (works well with any
other secure server):
(there is no resets if a variable named FIX__gotoSleepAfterHandshake = true)
public class CheckConnectionResets{
static String host = "your-test-host";
public static void main( String[] args ) throws
InterruptedException, IOException{
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
int nRuns = 4;
int success = 0;
int denial = 0;
boolean FIX__gotoSleepAfterHandshake = false;
for( int i = 0; i < nRuns; i++ ){
try ( SSLSocket socket = (SSLSocket)factory.createSocket(
host, 443 ) ){
if( FIX__gotoSleepAfterHandshake ){
socket.startHandshake();
Thread.sleep( 500 );
}
try ( PrintWriter out = new PrintWriter( new
BufferedWriter( new OutputStreamWriter( socket.getOutputStream() ) )
);
InputStream is = socket.getInputStream(); ){
out.println( "GET /1.txt HTTP/1.1" );
out.println( "Host: " + host );
out.println( "Accept: */*" );
out.println();
out.flush();
if( out.checkError() ){
System.out.println( "SSLSocketClient:
java.io.PrintWriter error" );
}
Instant start = Instant.now();
/* read full response */
byte[] buff = new byte[ 1024 ];
int read = is.read( buff );
success++;
System.out.println( "success: " + success + ",
read " + read + " bytes for: " + start.until( Instant.now(),
ChronoUnit.MILLIS ) + "ms" );
} catch ( IOException e ) {
denial++;
System.err.println( "denial: " + denial + ", " +
e.getMessage() );
}}}}}
Sample output:
success: 1, read 73 bytes for: 78ms
denial: 1, Connection reset
success: 2, read 73 bytes for: 78ms
denial: 2, Connection reset
The bug is stable, and always reproducible.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
