On 13/03/2019 20:30, Igor T wrote: > Prerequisites: > OS: Windows Server 2012 R2 > Java: checked on both jdk1.8.0_162 jdk1.8.0_181 > Tomcat: windows x64 builds checked on 9.0.12, 9.0.16, 9.0.17-dev
9.0.17-dev at which point in time? Have you tested the current 9.0.17 release candidate (see dev@ for details) Mark > Valid SSL certificates > Content of file located at webapp/ROOT/1.txt: [] > Tomcat's connector settings: > <Connector port="443" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" > connectionTimeout="5000" > SSLEnabled="true" > scheme="https" > secure="true" > > > > This configuration leads to 50% of the traffic to be rejected with > Connection resets. First socket connects and receives the service, but > every second is resetted. > > Exactly this combination leads to connection resets: > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" > > Configurations that work well without connection resets: > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > or > protocol="org.apache.coyote.http11.Http11NioProtocol" > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" > > Java code to reproduce the connection resets (works well with any > other secure server): > (there is no resets if a variable named FIX__gotoSleepAfterHandshake = true) > > public class CheckConnectionResets{ > static String host = "your-test-host"; > > public static void main( String[] args ) throws > InterruptedException, IOException{ > > SSLSocketFactory factory = > (SSLSocketFactory)SSLSocketFactory.getDefault(); > int nRuns = 4; > int success = 0; > int denial = 0; > > boolean FIX__gotoSleepAfterHandshake = false; > > for( int i = 0; i < nRuns; i++ ){ > try ( SSLSocket socket = (SSLSocket)factory.createSocket( > host, 443 ) ){ > > if( FIX__gotoSleepAfterHandshake ){ > socket.startHandshake(); > Thread.sleep( 500 ); > } > try ( PrintWriter out = new PrintWriter( new > BufferedWriter( new OutputStreamWriter( socket.getOutputStream() ) ) > ); > InputStream is = socket.getInputStream(); ){ > > out.println( "GET /1.txt HTTP/1.1" ); > out.println( "Host: " + host ); > out.println( "Accept: */*" ); > out.println(); > out.flush(); > > if( out.checkError() ){ > System.out.println( "SSLSocketClient: > java.io.PrintWriter error" ); > } > > Instant start = Instant.now(); > /* read full response */ > byte[] buff = new byte[ 1024 ]; > int read = is.read( buff ); > success++; > System.out.println( "success: " + success + ", > read " + read + " bytes for: " + start.until( Instant.now(), > ChronoUnit.MILLIS ) + "ms" ); > > } catch ( IOException e ) { > denial++; > System.err.println( "denial: " + denial + ", " + > e.getMessage() ); > }}}}} > > Sample output: > success: 1, read 73 bytes for: 78ms > denial: 1, Connection reset > success: 2, read 73 bytes for: 78ms > denial: 2, Connection reset > > The bug is stable, and always reproducible. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org