[
https://issues.apache.org/jira/browse/HTTPCORE-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412544#comment-17412544
]
Oleg Kalnichevski commented on HTTPCORE-685:
--------------------------------------------
[~chrisridd] Could you please
# try to reproduce the defect with curl or a free of charge load tool
# see if HttpCore 5.1 is affected or not [1]?
We had a lot of grief with TLSv1.3 in the early releases of Java 11 mostly due
to what turned out to be defects or behavioral quirks in the new JSSE. All
reported and known defects got fixed in 5.0.x and later ported to 4.4.x. So, I
would like to see a reliable reproducer before I could confirm this as a defect
in HttpCore 4.4. I will however re-run my local tests and see if I can
reproduce the defect locally with the latest Java 11 JRE.
Oleg
[1]
[https://github.com/apache/httpcomponents-core/blob/5.1.x/httpcore5/src/test/java/org/apache/hc/core5/http/examples/AsyncFileServerExample.java]
> I/O dispatch threads spin after lots of TLSv1.3 connections
> -----------------------------------------------------------
>
> Key: HTTPCORE-685
> URL: https://issues.apache.org/jira/browse/HTTPCORE-685
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore NIO
> Affects Versions: 4.4.13, 4.4.14
> Environment: java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64
> (11.0.2.12+7-LTS on Centos 8).
> Reporter: Chris Ridd
> Priority: Major
> Attachments: AsyncExample.java, SyncExample.java
>
>
> When I run a Qualys VMDR scan against your example {{NHttpFileServer}}
> server, which is adjusted to only allow TLSv1.3, I see the two I/O-dispatch
> threads spinning, and a number of sockets (~20) never closing.
> The adjusted example code is attached: [^AsyncExample.java]
> The I/O dispatch threads are consistently inside
> {{SSLIOSession.doHandshake()}} and handshaking is {{true}} and
> HandshakeStatus is {{NOT_HANDSHAKING}}. The threads seem to enter this code
> for every "bad" connection, and then repeat it all over again making no
> progress and keeping the sockets open.
> As far as I see - the Qualys tests are sadly not open source - Qualys is just
> doing ~ 2000 HTTPS GET requests with different paths, apparently looking for
> known insecure applications. It is unclear what's special about the failing
> connections.
> If I run the [^SyncExample.java] server instead, the scan completes
> successfully.
> If you can suggest any instrumentation that will gain some insights on this
> problem, I will be happy to assist.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
