On Wed, Mar 13, 2019 at 10:21 PM Mark Thomas <ma...@apache.org> wrote:
> On 13/03/2019 20:30, Igor T wrote: > > Prerequisites: > > OS: Windows Server 2012 R2 > > Java: checked on both jdk1.8.0_162 jdk1.8.0_181 > > Tomcat: windows x64 builds checked on 9.0.12, 9.0.16, 9.0.17-dev > > 9.0.17-dev at which point in time? > Since 9.0.12 and 16 do the same, I wouldn't look at that at all. Something simple like this works in the general case, there must be something specific here. So it's Windows, which some unspecified OpenSSL version. Rémy > > Have you tested the current 9.0.17 release candidate (see dev@ for > details) > > Mark > > > > > Valid SSL certificates > > Content of file located at webapp/ROOT/1.txt: [] > > Tomcat's connector settings: > > <Connector port="443" > > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > > > sslImplementationName="org.apache.tomcat.util.net > .openssl.OpenSSLImplementation" > > connectionTimeout="5000" > > SSLEnabled="true" > > scheme="https" > > secure="true" > > > > > > > This configuration leads to 50% of the traffic to be rejected with > > Connection resets. First socket connects and receives the service, but > > every second is resetted. > > > > Exactly this combination leads to connection resets: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net > .openssl.OpenSSLImplementation" > > > > Configurations that work well without connection resets: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > > or > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > sslImplementationName="org.apache.tomcat.util.net > .openssl.OpenSSLImplementation" > > > > Java code to reproduce the connection resets (works well with any > > other secure server): > > (there is no resets if a variable named FIX__gotoSleepAfterHandshake = > true) > > > > public class CheckConnectionResets{ > > static String host = "your-test-host"; > > > > public static void main( String[] args ) throws > > InterruptedException, IOException{ > > > > SSLSocketFactory factory = > > (SSLSocketFactory)SSLSocketFactory.getDefault(); > > int nRuns = 4; > > int success = 0; > > int denial = 0; > > > > boolean FIX__gotoSleepAfterHandshake = false; > > > > for( int i = 0; i < nRuns; i++ ){ > > try ( SSLSocket socket = (SSLSocket)factory.createSocket( > > host, 443 ) ){ > > > > if( FIX__gotoSleepAfterHandshake ){ > > socket.startHandshake(); > > Thread.sleep( 500 ); > > } > > try ( PrintWriter out = new PrintWriter( new > > BufferedWriter( new OutputStreamWriter( socket.getOutputStream() ) ) > > ); > > InputStream is = socket.getInputStream(); ){ > > > > out.println( "GET /1.txt HTTP/1.1" ); > > out.println( "Host: " + host ); > > out.println( "Accept: */*" ); > > out.println(); > > out.flush(); > > > > if( out.checkError() ){ > > System.out.println( "SSLSocketClient: > > java.io.PrintWriter error" ); > > } > > > > Instant start = Instant.now(); > > /* read full response */ > > byte[] buff = new byte[ 1024 ]; > > int read = is.read( buff ); > > success++; > > System.out.println( "success: " + success + ", > > read " + read + " bytes for: " + start.until( Instant.now(), > > ChronoUnit.MILLIS ) + "ms" ); > > > > } catch ( IOException e ) { > > denial++; > > System.err.println( "denial: " + denial + ", " + > > e.getMessage() ); > > }}}}} > > > > Sample output: > > success: 1, read 73 bytes for: 78ms > > denial: 1, Connection reset > > success: 2, read 73 bytes for: 78ms > > denial: 2, Connection reset > > > > The bug is stable, and always reproducible. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >