You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Fred Dushin (JIRA)" <ji...@apache.org> on 2007/12/17 11:15:43 UTC
[jira] Commented: (CXF-1222) Some TLS ciphersuite configurations
result in 100% CPU utilization
[ https://issues.apache.org/jira/browse/CXF-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12552363 ]
Fred Dushin commented on CXF-1222:
----------------------------------
Addional information, submitted to cxf-user by jiri.mikulasek [1]:
First configuration:
Server:
<sec:cipherSuitesFilter>
<sec:include>.*WITH_NULL_SHA.*</sec:include>
</sec:cipherSuitesFilter>
Client:
<sec:cipherSuitesFilter>
<sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
</sec:cipherSuitesFilter>
when trying to connect client to server i got in server log:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_DH_anon_WITH_RC4_128_MD5,
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2007-12-17 09:59:15.748::INFO: Started
CXFJettySslSocketConnector@0.0.0.0:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
at com.sun.net.ssl.internal.ssl.InputRecord.<init>(InputRecord.java:65)
at
com.sun.net.ssl.internal.ssl.HandshakeInStream.<init>(HandshakeInStream.java:45)
at
com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:294)
at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:139)
at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:110)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:86)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:980)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:928)
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
at
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Second: configuration:
Client same as before
Server:
<sec:cipherSuitesFilter>
<sec:exclude>.*WITH_NULL_SHA.*</sec:exclude>
</sec:cipherSuitesFilter>
I got the same exception and following CIPHER SUITE on server side:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5,
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2007-12-17 10:11:46.635::INFO: Started
CXFJettySslSocketConnector@0.0.0.0:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
[1] http://mail-archives.apache.org/mod_mbox/incubator-cxf-user/200712.mbox/%3c200712171018.34302.jiri.mikulasek@aura.cz%3e
> Some TLS ciphersuite configurations result in 100% CPU utilization
> ------------------------------------------------------------------
>
> Key: CXF-1222
> URL: https://issues.apache.org/jira/browse/CXF-1222
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.0.3
> Reporter: Fred Dushin
> Fix For: 2.0.4
>
>
> By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,
> {{{
> <csec:cipherSuitesFilter>
> <!-- <csec:include>.*</csec:include> -->
> <csec:exclude>.*_DH_anon_.*</csec:exclude>
> </csec:cipherSuitesFilter>
> }}}
> a CXF server will spin its wheels in com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:
> {{{
> [java] "btpool0-0 - Acceptor0 CXFJettySslSocketConnector@0.0.0.0:9001" prio=5 tid=0x00537320 nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
> [java] at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
> [java] at com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
> [java] at com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
> [java] at com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
> [java] at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
> [java] at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
> [java] at com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
> [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
> [java] at com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
> [java] at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
> [java] - locked <0x26dbc988> (a com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
> [java] at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
> [java] at org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
> [java] at org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
> [java] at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
> }}}
> {{{
> PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE
> 8463 top 15.4% 0:02.89 1 18 20 640K 380K 1.10M 27.0M
> 8462 java 103.0% 1:12.61 12 886 521 60.4M- 82.0M 76.6M- 327M-
> }}}
> This appears to be due to the way in which we initialize cipher suites in the CxfJettySslSocketConnector, and we should revisit this to defend against this sort of thing from happening.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.