You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2009/10/29 02:37:00 UTC
[jira] Resolved: (CXF-1222) Some TLS ciphersuite configurations
result in 100% CPU utilization
[ https://issues.apache.org/jira/browse/CXF-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-1222.
------------------------------
Resolution: Invalid
Fix Version/s: Invalid
This is really a bug in the JDK/JSSE libraries. The setting we are using should be valid. Nothing we can do about it in CXF.
> Some TLS ciphersuite configurations result in 100% CPU utilization
> ------------------------------------------------------------------
>
> Key: CXF-1222
> URL: https://issues.apache.org/jira/browse/CXF-1222
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.0.3
> Reporter: Fred Dushin
> Fix For: Invalid
>
>
> By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,
> {{{
> <csec:cipherSuitesFilter>
> <!-- <csec:include>.*</csec:include> -->
> <csec:exclude>.*_DH_anon_.*</csec:exclude>
> </csec:cipherSuitesFilter>
> }}}
> a CXF server will spin its wheels in com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:
> {{{
> [java] "btpool0-0 - Acceptor0 CXFJettySslSocketConnector@0.0.0.0:9001" prio=5 tid=0x00537320 nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
> [java] at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
> [java] at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
> [java] at com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
> [java] at com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
> [java] at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
> [java] at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
> [java] at com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
> [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
> [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
> [java] at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
> [java] - locked <0x26dbc988> (a com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
> [java] at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
> [java] at org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
> [java] at org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
> [java] at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
> }}}
> {{{
> PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE
> 8463 top 15.4% 0:02.89 1 18 20 640K 380K 1.10M 27.0M
> 8462 java 103.0% 1:12.61 12 886 521 60.4M- 82.0M 76.6M- 327M-
> }}}
> This appears to be due to the way in which we initialize cipher suites in the CxfJettySslSocketConnector, and we should revisit this to defend against this sort of thing from happening.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.