You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/12/16 07:46:35 UTC
[Bug 58741] New: Large number of public certificates in keystore
causes handshake timeout with Http11Nio2Protocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
Bug ID: 58741
Summary: Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Product: Tomcat 8
Version: 8.0.24
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: sislam@workforcesoftware.com
SSL Handshake seems to be timing out with Http11Nio2Protocol and large number
of entries in the keystore.
I have a connector definition as something like below in server.xml.
<Connector port="10443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxHttpHeaderSize="4096"
maxThreads="1050" minSpareThreads="25"
maxKeepAliveRequests="-1" keepAliveTimeout="180000"
enableLookups="false" disableUploadTimeout="true"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
clientAuth="want" sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.2,TLSv1"
connectionTimeout="180000"
keystoreFile="workforce.keystore"
keystorePass="xxx" algorithm="SunX509"
truststoreFile="workforce.keystore"
truststorePass="xxx"
truststoreType="JKS"
keyAlias="tomcat"
compression="on"
compressionMinSize="2048"
trustManagerClassName="com.workforcesoftware.tomcatssl.WorkforceTrustManager"
useServerCipherSuitesOrder="true"
ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA"
compressableMimeType="text/html,text/xml,text/js,text/css"/>
Steps to reproduce,
1) Define a connector with something like above.
2) Use a large keystore file. I have a large keystore with one private key with
alias tomcat (as defined in keyAlias) and large number of public certificates
that I trust (> 1400). Sample keystore file is attached.
3) Start/Restart the tomcat.
4) Try to access the application/tomcat using the specified connector from the
browser.
5) SSL handshake seems to be timing out. SSL/Handshake debug log is attached.
When I change the protocol from Http11Nio2Protocol to Http11NioProtocol, SSL
handshake seems to be working fine. Besides this, I have also tried separating
out keystore (with only tomcat entry) and trust store (with all public
certificates), but with that configuration, the handshake still seems to be
timing out.
Thanks
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
--- Comment #3 from Syed Tariq <si...@workforcesoftware.com> ---
Ok I will try to investigate it further. By the way, I uploaded files at some
other location since bugzilla doesn't allow me to upload attachments greater
than 1000KB.
Thanks
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
--- Comment #7 from Remy Maucherat <re...@apache.org> ---
The policy is to not do user support in BZ, so as to not attract support issues
there and having to provide direct support. Now, you're free to handle things
the way you'd like :)
The truststore handling is also 100% identical between the two connectors, and
it is up to the user to investigate his custom code, use the NIO connector,
test trunk, etc.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
Syed Tariq <si...@workforcesoftware.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sislam@workforcesoftware.co
| |m
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
--- Comment #6 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Remy Maucherat from comment #4)
> It could be a good first step to test trunk. Since the keystore size itself
> shouldn't be a factor, try find some other more likely explanation first.
>
> Both connectors use the same SSLEngine API, which is configured the same
> way, and once the key is loaded during the connector initialization the
> keystore is not used anymore.
That's only for server connector configuration. It's clear that Syed is talking
about handshakes which include a client-certificate, here. The trust store is
certainly consulted when a client-certificate needs to be verified.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
--- Comment #1 from Syed Tariq <si...@workforcesoftware.com> ---
Created attachment 33353
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33353&action=edit
Zip file containing sample keystore file and SSL/Handshaking debug logs
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> ---
Could there possibly be a problem in
com.workforcesoftware.tomcatssl.WorkforceTrustManager?
Take thread dumps during the long pause before the handshake timeout to see
where the JVM is stalling. A thread dump could show whether this is a problem
in Tomcat (unlikely), your TrustManager code (likely) or the JVM (semi-likely).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
--- Comment #4 from Remy Maucherat <re...@apache.org> ---
It could be a good first step to test trunk. Since the keystore size itself
shouldn't be a factor, try find some other more likely explanation first.
Both connectors use the same SSLEngine API, which is configured the same way,
and once the key is loaded during the connector initialization the keystore is
not used anymore.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58741] Large number of public certificates in keystore causes
handshake timeout with Http11Nio2Protocol
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58741
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #2 from Remy Maucherat <re...@apache.org> ---
I am not going to investigate this since it doesn't make any sense, so please
investigate this further if you want it to move forward [I am for starters not
downloading random files from random places, and your connector configuration
is too convoluted as well ...].
The configuration of the SSL engine which does the handshake is identical in
both connectors, and if it works with "small" keystores then it will do the
same in both for large ones.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org