You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/10/02 14:39:33 UTC
[Bug 62794] New: Tomcat request-read fails when using TLSv1.3 with
APR connector
https://bz.apache.org/bugzilla/show_bug.cgi?id=62794
Bug ID: 62794
Summary: Tomcat request-read fails when using TLSv1.3 with APR
connector
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: chris@christopherschultz.net
Target Milestone: -----
When TLSv1.3 is enabled with the APR connector, Tomcat fails with an
IOException after the TLS handshake completed but before a request is
processed.
STR:
0. Use OpenSSL 1.1.1
1. Patch Tomcat and tcnative to support OpenSSL TLSv1.3. Please see bug #62748
for the requisite patches. Note that both Tomcat and tcnative need patches.
2. Configure Tomcat trunk with a connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.2+TLSv1.3">
<Certificate certificateKeyFile="conf/localhost.key"
certificateFile="conf/localhost.crt"
certificateKeyPassword="[...]"
type="RSA" />
</SSLHostConfig>
</Connector>
3. Start Tomcat
4. Attempt to make a connection:
$ openssl s_client -tls1_3 -connect [host]:8443
[handshake succeeds]
GET /[CRLF]
Result: connection is closed, Tomcat throws an exception:
02-Oct-2018 10:32:10.734 FINE [https-openssl-apr-8443-exec-6]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header
java.io.IOException: Unexpected error [53] reading data from the APR/native
socket [140,449,444,320,416] with wrapper
[org.apache.tomcat.util.net.AprEndpoin
t$AprSocketWrapper@3159d159:140449444320416].
at
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer(AprEndpoint.java:2533)
at
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.fillReadBuffer(AprEndpoint.java:2453)
at
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.read(AprEndpoint.java:2436)
at
org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:729)
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:352)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2338)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)
Expected: successful HTTP request/response
Running the same s_client command with the -tls1_2 switch works as expected.
There is a report in bug #62748 indicating that Google Chrome fails in a
similar way and so does Tomcat.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 62794] Tomcat request-read fails when using TLSv1.3 with APR
connector
Posted by Mark Thomas <ma...@apache.org>.
On 09/10/18 18:25, bugzilla@apache.org wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=62794
>
> Mark Thomas <ma...@apache.org> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Status|NEW |RESOLVED
> Resolution|--- |DUPLICATE
>
> --- Comment #2 from Mark Thomas <ma...@apache.org> ---
> Fixed in trunk for 1.2.18 onwards.
>
> *** This bug has been marked as a duplicate of bug 62748 ***
I've just realised this means we are going to need to a Tomcat Native
1.2.18 release before the next round of Tomcat releases to pick up TLS
1.3 support.
My plan is to look at CLIENT-CERT support and then tag and release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62794] Tomcat request-read fails when using TLSv1.3 with APR
connector
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62794
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Fixed in trunk for 1.2.18 onwards.
*** This bug has been marked as a duplicate of bug 62748 ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62794] Tomcat request-read fails when using TLSv1.3 with APR
connector
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62794
--- Comment #3 from redball12345671211 <re...@gmail.com> ---
The information you shared is very helpful to us.
http://hotmailentrarno.com/
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62794] Tomcat request-read fails when using TLSv1.3 with APR
connector
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62794
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I have found the problem. It is related to how Tomcat Native tracks the
renegotiation status and that TLS 1.3 doesn't use renegotiation. I have a
working fix. I am currently reviewing the overall patch and should have
something ready to commit later today.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org