You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/06/05 16:52:57 UTC
Re: TLSv1.2 ALERT: fatal, description = unexpected_message
On 05/06/2016 16:32, Venkata Reddy P wrote:
> Hi,
>
> I have a setup with Tomcat8.0.33,jre8u91 and with ssl enabled with http connector.
> <Connector SSLEnabled="true" acceptCount="100"
> address="10.4.20.46" connectionTimeout="-1"
> disableUploadTimeout="true" enableLookups="false"
> maxHttpHeaderSize="8192"
> maxThreads="500" port="50002"
> protocol="com.poc.tomcat8.SSLHttp11Protocol"
> scheme="https" secure="true" />
>
> Most of the application works on ssl without any issues but while downloading JS,CSS files seems to be failing. I can't suspect the ssl implementation.
Why not? We haven't seen any reports from users using the default TLS
implementation. You are using a custom TLS implementation any you are
seeing errors. Absent some VERY strong evidence this is a Tomcat bug,
all the indications are that the bug is in
com.poc.tomcat8.SSLHttp11Protocol
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLSv1.2 ALERT: fatal, description = unexpected_message
Posted by Venkata Reddy P <Ve...@trianz.com>.
Is the size of the https request cause any issues?
The IE (hanging on while loading few requests) and Chrome (net::ERR_SSL_PROTOCOL_ERROR) request are working occasionally, what I observed is sometime loads js, css files from cache and then it works fine. If it is trying to download from the server, then it fails to load few https requests out of 47.
I have tried increasing the size of maxHttpHeaderSize=51200, minSpareThreads=200, compression=on, maxConnections=1000 but no luck.
Are there anyother tomcat attributes which can back to load the js(maximum size can be around 60 kb), css(maximum size can be around 40 kb) file without any interruptions?
-----Original Message-----
From: Venkata Reddy P
Sent: Sunday, June 05, 2016 11:15 PM
To: Tomcat Users List
Subject: RE: TLSv1.2 ALERT: fatal, description = unexpected_message
Thanks Mark for the reply. I have forgot to mention.
My current ssl errors are getting only for IE and google chrome browsers. The same application is working well for the Firefox that's the reason can't suspect the SSL implementation.
I have aslo tried with openssl client and confirms the nothing wrong with ssl implementation. The same ssl implantation have been using from tomcat4 onwards and the same implementation has been injected as per the tomcat8 connectors.
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: 05 June 2016 22:23
To: Tomcat Users List
Subject: Re: TLSv1.2 ALERT: fatal, description = unexpected_message
On 05/06/2016 16:32, Venkata Reddy P wrote:
> Hi,
>
> I have a setup with Tomcat8.0.33,jre8u91 and with ssl enabled with http connector.
> <Connector SSLEnabled="true" acceptCount="100"
> address="10.4.20.46" connectionTimeout="-1"
> disableUploadTimeout="true" enableLookups="false"
> maxHttpHeaderSize="8192"
> maxThreads="500" port="50002"
> protocol="com.poc.tomcat8.SSLHttp11Protocol"
> scheme="https" secure="true" />
>
> Most of the application works on ssl without any issues but while downloading JS,CSS files seems to be failing. I can't suspect the ssl implementation.
Why not? We haven't seen any reports from users using the default TLS implementation. You are using a custom TLS implementation any you are seeing errors. Absent some VERY strong evidence this is a Tomcat bug, all the indications are that the bug is in com.poc.tomcat8.SSLHttp11Protocol
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLSv1.2 ALERT: fatal, description = unexpected_message
Posted by Venkata Reddy P <Ve...@trianz.com>.
Hi,
When I access my website with ssl enabling, I am getting the following errors. My server.xml connectionTimeout=-1, it is using TLSv1.2 protocol.
why I am getting readTimeout and possible reasons?
[Jun 16 2016:06:42:08 PDT] DEBUG http-bio-10.4.20.46-50002-exec-22 com.poc.GaHttp11Protocol - Socket: [org.apache.tomcat.util.net.SocketWrapper@33da3058:452a7c62[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/10.4.20.46,port=49787,localport=50002]]], Status in: [OPEN_READ], State out: [CLOSED]
[Jun 16 2016:06:42:08 PDT] DEBUG http-bio-10.4.20.46-50002-exec-23 com.poc.GaHttp11Protocol
- Socket: [org.apache.tomcat.util.net.SocketWrapper@3cde4600:3ab71c6f[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: Socket[addr=/10.4.20.46,port=49788,localport=50002]]], Status in: [OPEN_READ], State out: [CLOSED]
[Jun 16 2016:06:42:09 PDT] DEBUG http-bio-10.4.20.46-50002-exec-24 org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header
java.io.EOFException: Unexpected EOF read on the socket
at org.apache.coyote.http11.Http11Processor.setRequestLineReadTimeout(Http11Processor.java:156)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1007)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:277)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
[Jun 16 2016:06:42:15 PDT] DEBUG http-bio-10.4.20.46-50002-exec-33 org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:170)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:529)
at org.apache.coyote.http11.Http11Processor.setRequestLineReadTimeout(Http11Processor.java:155)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1007)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:279)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Thanks
Venkata
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 07 June 2016 00:36
To: Tomcat Users List
Subject: Re: TLSv1.2 ALERT: fatal, description = unexpected_message
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Venkata,
On 6/5/16 1:45 PM, Venkata Reddy P wrote:
> My current ssl errors are getting only for IE and google chrome
> browsers. The same application is working well for the Firefox that's
> the reason can't suspect the SSL implementation.
I disagree with your assumption here that Firefox and MSIE/Chrome all work the same way when it comes to TLS. Perhaps MSIE/Chrome use a particular TLS extension that Firefox does not. Perhaps there is a cipher suite in the list from MSIE/Chrome that is not in Firefox (or vice-versa).
> I have also tried with OpenSSL client and confirms the nothing wrong
> with ssl implementation. The same ssl implantation have been using
> from tomcat4 onwards and the same implementation has been injected as
> per the tomcat8 connectors.
Lots of changes have occurred within the Tomcat Connector code between Tomcat 4 and Tomcat 8. The same implementation can not be successfully re-used across those versions.
Perhaps if you shared some of the code, we could help debug it. If not, you will have to debug your own code by yourself.
- -chris
> -----Original Message----- From: Mark Thomas [mailto:markt@apache.org]
> Sent: 05 June 2016 22:23 To: Tomcat Users List Subject: Re: TLSv1.2
> ALERT: fatal, description = unexpected_message
>
> On 05/06/2016 16:32, Venkata Reddy P wrote:
>> Hi,
>>
>> I have a setup with Tomcat8.0.33,jre8u91 and with ssl enabled with
>> http connector. <Connector SSLEnabled="true"
>> acceptCount="100" address="10.4.20.46" connectionTimeout="-1"
>> disableUploadTimeout="true" enableLookups="false"
>> maxHttpHeaderSize="8192" maxThreads="500" port="50002"
>> protocol="com.poc.tomcat8.SSLHttp11Protocol" scheme="https"
>> secure="true" />
>>
>> Most of the application works on ssl without any issues but while
>> downloading JS,CSS files seems to be failing. I can't suspect the ssl
>> implementation.
>
> Why not? We haven't seen any reports from users using the default TLS
> implementation. You are using a custom TLS implementation any you are
> seeing errors. Absent some VERY strong evidence this is a Tomcat bug,
> all the indications are that the bug is in
> com.poc.tomcat8.SSLHttp11Protocol
>
> Mark
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAldVyXoACgkQ9CaO5/Lv0PBXiACgueSAfA8AJuKZ8Bj8ASyufUKO
rWEAoLypfk0l1ksNuBJzgjfmLbtetOB4
=wKzY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TLSv1.2 ALERT: fatal, description = unexpected_message
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Venkata,
On 6/5/16 1:45 PM, Venkata Reddy P wrote:
> My current ssl errors are getting only for IE and google chrome
> browsers. The same application is working well for the Firefox
> that's the reason can't suspect the SSL implementation.
I disagree with your assumption here that Firefox and MSIE/Chrome all
work the same way when it comes to TLS. Perhaps MSIE/Chrome use a
particular TLS extension that Firefox does not. Perhaps there is a
cipher suite in the list from MSIE/Chrome that is not in Firefox (or
vice-versa).
> I have also tried with OpenSSL client and confirms the nothing
> wrong with ssl implementation. The same ssl implantation have been
> using from tomcat4 onwards and the same implementation has been
> injected as per the tomcat8 connectors.
Lots of changes have occurred within the Tomcat Connector code between
Tomcat 4 and Tomcat 8. The same implementation can not be successfully
re-used across those versions.
Perhaps if you shared some of the code, we could help debug it. If
not, you will have to debug your own code by yourself.
- -chris
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: 05 June 2016 22:23 To: Tomcat Users
> List Subject: Re: TLSv1.2 ALERT: fatal, description =
> unexpected_message
>
> On 05/06/2016 16:32, Venkata Reddy P wrote:
>> Hi,
>>
>> I have a setup with Tomcat8.0.33,jre8u91 and with ssl enabled
>> with http connector. <Connector SSLEnabled="true"
>> acceptCount="100" address="10.4.20.46" connectionTimeout="-1"
>> disableUploadTimeout="true" enableLookups="false"
>> maxHttpHeaderSize="8192" maxThreads="500" port="50002"
>> protocol="com.poc.tomcat8.SSLHttp11Protocol" scheme="https"
>> secure="true" />
>>
>> Most of the application works on ssl without any issues but while
>> downloading JS,CSS files seems to be failing. I can't suspect the
>> ssl implementation.
>
> Why not? We haven't seen any reports from users using the default
> TLS implementation. You are using a custom TLS implementation any
> you are seeing errors. Absent some VERY strong evidence this is a
> Tomcat bug, all the indications are that the bug is in
> com.poc.tomcat8.SSLHttp11Protocol
>
> Mark
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAldVyXoACgkQ9CaO5/Lv0PBXiACgueSAfA8AJuKZ8Bj8ASyufUKO
rWEAoLypfk0l1ksNuBJzgjfmLbtetOB4
=wKzY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLSv1.2 ALERT: fatal, description = unexpected_message
Posted by Venkata Reddy P <Ve...@trianz.com>.
Thanks Mark for the reply. I have forgot to mention.
My current ssl errors are getting only for IE and google chrome browsers. The same application is working well for the Firefox that's the reason can't suspect the SSL implementation.
I have aslo tried with openssl client and confirms the nothing wrong with ssl implementation. The same ssl implantation have been using from tomcat4 onwards and the same implementation has been injected as per the tomcat8 connectors.
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: 05 June 2016 22:23
To: Tomcat Users List
Subject: Re: TLSv1.2 ALERT: fatal, description = unexpected_message
On 05/06/2016 16:32, Venkata Reddy P wrote:
> Hi,
>
> I have a setup with Tomcat8.0.33,jre8u91 and with ssl enabled with http connector.
> <Connector SSLEnabled="true" acceptCount="100"
> address="10.4.20.46" connectionTimeout="-1"
> disableUploadTimeout="true" enableLookups="false"
> maxHttpHeaderSize="8192"
> maxThreads="500" port="50002"
> protocol="com.poc.tomcat8.SSLHttp11Protocol"
> scheme="https" secure="true" />
>
> Most of the application works on ssl without any issues but while downloading JS,CSS files seems to be failing. I can't suspect the ssl implementation.
Why not? We haven't seen any reports from users using the default TLS implementation. You are using a custom TLS implementation any you are seeing errors. Absent some VERY strong evidence this is a Tomcat bug, all the indications are that the bug is in com.poc.tomcat8.SSLHttp11Protocol
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org