Tomcat Version: 9.0.81
OS: Windows Server 2016
We recently patched one of our QA servers to test 9.0.81 and ran into
performance issues. Page loads that normally take 1-2 seconds are now taking
50-60 seconds. We were finally able to narrow the issue down to the SSL
connector. Adding an HTTP connector and bypassing ssl resolves the performance
issue. We have also tested rolling back to 9.0.80 with the same configuration
and verified the issue does not exist.
SSL Connector:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreFile="[pfx keystore file]"
keystorePass="[password]"
keystoreType="PKCS12"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
compression="on"
/>
Additionally, I tried installing the native library to attempt the
OpenSSLImplementation. It exhibits the same behavior:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreFile="[pfx keystore file]"
keystorePass="[password]"
keystoreType="PKCS12"
compression="on"
/>
I turned on error logging using:
org.apache.coyote.http11.Http11NioProtocol.level = FINE
I am sporadically seeing these errors:
11-Oct-2023 19:21:04.162 FINE [https-openssl-nio-443-exec-23]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Processing socket
[org.apache.tomcat.util.net.SecureNioChannel@25cfb477:java.nio.channels.SocketChannel[connected
local=/10.32.68.11:443 remote=/10.32.73.114:52679]] with status [ERROR]
Does anyone have any suggestions on the possible problem, additional logging,
or configuration changes? Thanks
Paul R Zepernick
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or intended recipient’s authorized agent, the reader is hereby
notified that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
