On Wed, Mar 13, 2019 at 10:21 PM Mark Thomas <ma...@apache.org> wrote:
> On 13/03/2019 20:30, Igor T wrote:
> > Prerequisites:
> > OS: Windows Server 2012 R2
> > Java: checked on both jdk1.8.0_162 jdk1.8.0_181
> > Tomcat: windows x64 builds checked on 9.0.12, 9.0.16, 9.0.17-dev
>
> 9.0.17-dev at which point in time?
>
Since 9.0.12 and 16 do the same, I wouldn't look at that at all. Something
simple like this works in the general case, there must be something
specific here. So it's Windows, which some unspecified OpenSSL version.
Rémy
>
> Have you tested the current 9.0.17 release candidate (see dev@ for
> details)
>
> Mark
>
>
>
> > Valid SSL certificates
> > Content of file located at webapp/ROOT/1.txt: []
> > Tomcat's connector settings:
> > <Connector port="443"
> >
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> >
> > sslImplementationName="org.apache.tomcat.util.net
> .openssl.OpenSSLImplementation"
> > connectionTimeout="5000"
> > SSLEnabled="true"
> > scheme="https"
> > secure="true"
> > >
> >
> > This configuration leads to 50% of the traffic to be rejected with
> > Connection resets. First socket connects and receives the service, but
> > every second is resetted.
> >
> > Exactly this combination leads to connection resets:
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > sslImplementationName="org.apache.tomcat.util.net
> .openssl.OpenSSLImplementation"
> >
> > Configurations that work well without connection resets:
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> > or
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > sslImplementationName="org.apache.tomcat.util.net
> .openssl.OpenSSLImplementation"
> >
> > Java code to reproduce the connection resets (works well with any
> > other secure server):
> > (there is no resets if a variable named FIX__gotoSleepAfterHandshake =
> true)
> >
> > public class CheckConnectionResets{
> > static String host = "your-test-host";
> >
> > public static void main( String[] args ) throws
> > InterruptedException, IOException{
> >
> > SSLSocketFactory factory =
> > (SSLSocketFactory)SSLSocketFactory.getDefault();
> > int nRuns = 4;
> > int success = 0;
> > int denial = 0;
> >
> > boolean FIX__gotoSleepAfterHandshake = false;
> >
> > for( int i = 0; i < nRuns; i++ ){
> > try ( SSLSocket socket = (SSLSocket)factory.createSocket(
> > host, 443 ) ){
> >
> > if( FIX__gotoSleepAfterHandshake ){
> > socket.startHandshake();
> > Thread.sleep( 500 );
> > }
> > try ( PrintWriter out = new PrintWriter( new
> > BufferedWriter( new OutputStreamWriter( socket.getOutputStream() ) )
> > );
> > InputStream is = socket.getInputStream(); ){
> >
> > out.println( "GET /1.txt HTTP/1.1" );
> > out.println( "Host: " + host );
> > out.println( "Accept: */*" );
> > out.println();
> > out.flush();
> >
> > if( out.checkError() ){
> > System.out.println( "SSLSocketClient:
> > java.io.PrintWriter error" );
> > }
> >
> > Instant start = Instant.now();
> > /* read full response */
> > byte[] buff = new byte[ 1024 ];
> > int read = is.read( buff );
> > success++;
> > System.out.println( "success: " + success + ",
> > read " + read + " bytes for: " + start.until( Instant.now(),
> > ChronoUnit.MILLIS ) + "ms" );
> >
> > } catch ( IOException e ) {
> > denial++;
> > System.err.println( "denial: " + denial + ", " +
> > e.getMessage() );
> > }}}}}
> >
> > Sample output:
> > success: 1, read 73 bytes for: 78ms
> > denial: 1, Connection reset
> > success: 2, read 73 bytes for: 78ms
> > denial: 2, Connection reset
> >
> > The bug is stable, and always reproducible.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
