[jira] [Commented] (HTTPCORE-685) I/O dispatch threads spin after lots of TLSv1.3 connections

Tue, 14 Sep 2021 01:54:04 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCORE-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414815#comment-17414815
 ] 

Oleg Kalnichevski commented on HTTPCORE-685:
--------------------------------------------

[~chrisridd] I am unable to reproduce the issue with Corretto JDK 11.0.9 on 
Windows 10. It is quite possible that the scanner you have been using does 
something unusual to trigger the spin (like aborting TLS sessions, abusing 
close notify handshake, or sending some malformed packets).

I need to know exactly what the scanner does. I cannot just randomly try 
different things.

Oleg

> I/O dispatch threads spin after lots of TLSv1.3 connections
> -----------------------------------------------------------
>
>                 Key: HTTPCORE-685
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-685
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore NIO
>    Affects Versions: 4.4.13, 4.4.14
>         Environment: java-11-openjdk-11.0.12.0.7-0.el8_4.x86_64 
> (11.0.2.12+7-LTS on Centos 8).
>            Reporter: Chris Ridd
>            Priority: Major
>         Attachments: AsyncExample.java, SyncExample.java, my.keystore
>
>
> When I run a Qualys VMDR scan against your example {{NHttpFileServer}} 
> server, which is adjusted to only allow TLSv1.3, I see the two I/O-dispatch 
> threads spinning, and a number of sockets (~40) never closing.
> The adjusted example code is attached:  [^AsyncExample.java] 
> The I/O dispatch threads are consistently inside 
> {{SSLIOSession.doHandshake()}} and handshaking is {{true}} and 
> HandshakeStatus is {{NOT_HANDSHAKING}}. The threads seem to enter this code 
> for every "bad" connection, and then repeat it all over again making no 
> progress and keeping the sockets open.
> As far as I see - the Qualys tests are sadly not open source - Qualys is just 
> doing ~ 2000 HTTPS GET requests with different paths, apparently looking for 
> known insecure applications. It is unclear what's special about the failing 
> connections.
> If I run the [^SyncExample.java] server instead, the scan completes 
> successfully.
> If you can suggest any instrumentation that will gain some insights on this 
> problem, I will be happy to assist.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to