[jira] Created: (CXF-1222) Some TLS ciphersuite configurations result in 100% CPU utilization

Tue, 20 Nov 2007 11:33:06 -0800 

Some TLS ciphersuite configurations result in 100% CPU utilization
------------------------------------------------------------------

                 Key: CXF-1222
                 URL: https://issues.apache.org/jira/browse/CXF-1222
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 2.0.3
            Reporter: Fred Dushin
             Fix For: 2.0.4


By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,

{{{
                <csec:cipherSuitesFilter>
                    <!-- <csec:include>.*</csec:include> -->
                    <csec:exclude>.*_DH_anon_.*</csec:exclude>
                </csec:cipherSuitesFilter>
}}}

a CXF server will spin its wheels in 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:

{{{
     [java] "btpool0-0 - Acceptor0 [EMAIL PROTECTED]:9001" prio=5 
tid=0x00537320 nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
     [java]     at 
com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
     [java]     at 
com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
     [java]     at 
com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
     [java]     at 
com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
     [java]     at 
com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
     [java]     at 
com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
     [java]     at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
     [java]     at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
     [java]     at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
     [java]     at 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
     [java]     - locked <0x26dbc988> (a 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
     [java]     at 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
     [java]     at 
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
     [java]     at 
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
     [java]     at 
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

}}}

{{{
  PID COMMAND      %CPU   TIME   #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE
 8463 top         15.4%  0:02.89   1    18    20   640K   380K  1.10M  27.0M 
 8462 java       103.0%  1:12.61  12   886   521  60.4M- 82.0M  76.6M-  327M-
}}}

This appears to be due to the way in which we initialize cipher suites in the 
CxfJettySslSocketConnector, and we should revisit this to defend against this 
sort of thing from happening.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to