You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/07/18 05:23:55 UTC
[Bug 63571] New: The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
Bug ID: 63571
Summary: The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Product: Tomcat 9
Version: 9.0.x
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: yoroto@gmail.com
Target Milestone: -----
In JDK bug https://bugs.openjdk.java.net/browse/JDK-8213577 , it clearly
mentioned that setting the SSL session cache size to indefinite is dangerous
and could cause serious memory leak issue. I have seen a couple of cases in my
company. The fix has updated the default value from 0 (indefinite) to 20480.
This has also been backported to JDK8
https://bugs.openjdk.java.net/browse/JDK-8213577 .
However, the default value in Tomcat is still 0. Also, when it set the value,
it does not consider whether the a different value has been set in JDK for
JSSE. JDK allow users to use the system property javax.net.ssl.sessionCacheSize
to set it as well. At the moment, Tomcat would overwrite both the JDK default
value and also javax.net.ssl.sessionCacheSize. This basically reversed the fix
in JDK.
There could be a couple of ways to fix this. I would suggest:
- change the default value in Tomcat for sessionCacheSize to 20480, which is
the same as the JDK fix.
- unless the Tomcat user explicitly set sessionCacheSize to a different value,
it should not try to call SSLSessionContext.setSessionCacheSize to change it,
since it could overwrite the configuration user set via
javax.net.ssl.sessionCacheSize.
Tomcat 7 and 8 have the same issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
--- Comment #5 from Letu Yang <yo...@gmail.com> ---
Mark,
After the JDK fix https://bugs.openjdk.java.net/browse/JDK-8213577 which
changed the default value to 20480, if Tomcat does not explicitly set it to 0,
the default value won't be unlimited any more.
Also, as it specified in the JDK bug, it might not be a good idea to set it to
unlimited.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|9.0.x |trunk
Component|Connectors |Connectors
Product|Tomcat 9 |Tomcat 7
Target Milestone|----- |---
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Things aren't quite so clear cut.
The docs for 9.0.x & 8.5.x state that 0 means unlimited but values of 0 are
ignored (for session timeout as well).
I propose to align all current Tomcat versions on the following behaviour:
<0 - use implementation default
0 - implementation defined behaviour for 0 (usually unlimited)
>0 - implementation defined behaviour for >0
This will apply to:
- sessionCacheSize
- sessionTimeout
This is slightly different to other similar values but the JSSE API does not
provide a "disable" option.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #6 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- master for 9.0.23 onwards
- 8.5.x for 8.5.44 onwards
- 7.0.x for 7.0.97 onwards
For 9.0.x/8.5.x the fix was to permit configuration of unlimited values. The
documentation was updated to make clear this is not recommended. Defaults
remained unchanged.
For 7.0.x the fix was to switch to using the JSSE implementation provided value
by default for session cache size.
The behaviour of all three versions is now aligned with the exception that
APR/native does not expose these options in 7.0.x
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
--- Comment #2 from Letu Yang <yo...@gmail.com> ---
Hi Christopher,
Thank you for the reply! I should have raised this against Tomcat 7... Please
feel free to close it.
https://github.com/apache/tomcat/blob/7.0.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L624
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
--- Comment #3 from Letu Yang <yo...@gmail.com> ---
Or shall we fix it in Tomcat 7 as well, making it consistent with 8 and 9?
https://github.com/apache/tomcat/blob/7.0.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L638
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63571] The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
In Tomcat 9, the call to SSLSessionContext.setSessionCacheSize is not made
unless the session cache size is > 0 [1]. Since the default is zero0, Tomcat
should already be behaving as you describe.
Is it possible that this value is being overwritten in some other way?
[1]
https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/SSLUtilBase.java#L260
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org