I'm testing to see if this might be an issue on a new tomcat 8.5.38 upgrade
I'm doing (using NIO2 and OpenSSL) before I promote this to our Production
environment :)
(Windows Server 2008R2, Java (javaC.exe) version is 1.8.0_191)
.. after some missteps (had to add some imports to get it to compile, and
use the -Djavax.net.ssl.trustStore, ... .trustStoreType,
..trustStorePassword args when running...
4 successes. no connection resets.
import javax.net.ss.SSLSocket;
import javax.net.ss.SSLSocketFactory
import java.io.*;
import java.time.*;
import java.time.temporal.ChronoUnit;
On Wed, Mar 13, 2019 at 3:29 PM Igor T <igor.tymoshc...@gmail.com> wrote:
> Prerequisites:
> OS: Windows Server 2012 R2
> Java: checked on both jdk1.8.0_162 jdk1.8.0_181
> Tomcat: windows x64 builds checked on 9.0.12, 9.0.16, 9.0.17-dev
> Valid SSL certificates
> Content of file located at webapp/ROOT/1.txt: []
> Tomcat's connector settings:
> <Connector port="443"
>
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net
> .openssl.OpenSSLImplementation"
> connectionTimeout="5000"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> >
>
> This configuration leads to 50% of the traffic to be rejected with
> Connection resets. First socket connects and receives the service, but
> every second is resetted.
>
> Exactly this combination leads to connection resets:
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net
> .openssl.OpenSSLImplementation"
>
> Configurations that work well without connection resets:
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> or
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementationName="org.apache.tomcat.util.net
> .openssl.OpenSSLImplementation"
>
> Java code to reproduce the connection resets (works well with any
> other secure server):
> (there is no resets if a variable named FIX__gotoSleepAfterHandshake =
> true)
>
> public class CheckConnectionResets{
> static String host = "your-test-host";
>
> public static void main( String[] args ) throws
> InterruptedException, IOException{
>
> SSLSocketFactory factory =
> (SSLSocketFactory)SSLSocketFactory.getDefault();
> int nRuns = 4;
> int success = 0;
> int denial = 0;
>
> boolean FIX__gotoSleepAfterHandshake = false;
>
> for( int i = 0; i < nRuns; i++ ){
> try ( SSLSocket socket = (SSLSocket)factory.createSocket(
> host, 443 ) ){
>
> if( FIX__gotoSleepAfterHandshake ){
> socket.startHandshake();
> Thread.sleep( 500 );
> }
> try ( PrintWriter out = new PrintWriter( new
> BufferedWriter( new OutputStreamWriter( socket.getOutputStream() ) )
> );
> InputStream is = socket.getInputStream(); ){
>
> out.println( "GET /1.txt HTTP/1.1" );
> out.println( "Host: " + host );
> out.println( "Accept: */*" );
> out.println();
> out.flush();
>
> if( out.checkError() ){
> System.out.println( "SSLSocketClient:
> java.io.PrintWriter error" );
> }
>
> Instant start = Instant.now();
> /* read full response */
> byte[] buff = new byte[ 1024 ];
> int read = is.read( buff );
> success++;
> System.out.println( "success: " + success + ",
> read " + read + " bytes for: " + start.until( Instant.now(),
> ChronoUnit.MILLIS ) + "ms" );
>
> } catch ( IOException e ) {
> denial++;
> System.err.println( "denial: " + denial + ", " +
> e.getMessage() );
> }}}}}
>
> Sample output:
> success: 1, read 73 bytes for: 78ms
> denial: 1, Connection reset
> success: 2, read 73 bytes for: 78ms
> denial: 2, Connection reset
>
> The bug is stable, and always reproducible.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
