You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Chris Ridd (Jira)" <ji...@apache.org> on 2021/09/09 11:06:00 UTC

[jira] [Updated] (HTTPCORE-685) I/O dispatch threads spin after lots of TLSv1.3 connections

     [ https://issues.apache.org/jira/browse/HTTPCORE-685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Ridd updated HTTPCORE-685:
--------------------------------
    Environment: java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64 (11.0.2.12+7-LTS on Centos 8).  (was: java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64 (11.0.2.12+7-LTS).)

> I/O dispatch threads spin after lots of TLSv1.3 connections
> -----------------------------------------------------------
>
>                 Key: HTTPCORE-685
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-685
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore NIO
>    Affects Versions: 4.4.13, 4.4.14
>         Environment: java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64 (11.0.2.12+7-LTS on Centos 8).
>            Reporter: Chris Ridd
>            Priority: Major
>         Attachments: AsyncExample.java, SyncExample.java
>
>
> When I run a Qualys VMDR scan against your example {{NHttpFileServer}} server, which is adjusted to only allow TLSv1.3, I see the two I/O-dispatch threads spinning, and a number of sockets (~20) never closing.
> The adjusted example code is attached:  [^AsyncExample.java] 
> The I/O dispatch threads are consistently inside {{SSLIOSession.doHandshake()}} and handshaking is {{true}} and HandshakeStatus is {{NOT_HANDSHAKING}}. The threads seem to enter this code for every "bad" connection, and then repeat it all over again making no progress and keeping the sockets open.
> As far as I see - the Qualys tests are sadly not open source - Qualys is just doing ~ 2000 HTTPS GET requests with different paths, apparently looking for known insecure applications. It is unclear what's special about the failing connections.
> If I run the [^SyncExample.java] server instead, the scan completes successfully.
> If you can suggest any instrumentation that will gain some insights on this problem, I will be happy to assist.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org