[jira] Resolved: (CXF-1222) Some TLS ciphersuite configurations result in 100% CPU utilization

Wed, 28 Oct 2009 18:37:25 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Kulp resolved CXF-1222.
------------------------------

       Resolution: Invalid
    Fix Version/s: Invalid


This is really a bug in the JDK/JSSE libraries.   The setting we are using 
should be valid.   Nothing we can do about it in CXF.

> Some TLS ciphersuite configurations result in 100% CPU utilization
> ------------------------------------------------------------------
>
>                 Key: CXF-1222
>                 URL: https://issues.apache.org/jira/browse/CXF-1222
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.0.3
>            Reporter: Fred Dushin
>             Fix For: Invalid
>
>
> By setting the ciphersuite filter to just exclude DH Anon cipher suites, e.g.,
> {{{
>                 <csec:cipherSuitesFilter>
>                     <!-- <csec:include>.*</csec:include> -->
>                     <csec:exclude>.*_DH_anon_.*</csec:exclude>
>                 </csec:cipherSuitesFilter>
> }}}
> a CXF server will spin its wheels in 
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites:
> {{{
>      [java] "btpool0-0 - Acceptor0 [email protected]:9001" 
> prio=5 tid=0x00537320 nid=0x1b96400 runnable [0xb0d0a000..0xb0d0ad10]
>      [java]     at 
> com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:56)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.OutputRecord.<init>(OutputRecord.java:66)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.HandshakeOutStream.<init>(HandshakeOutStream.java:36)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:281)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:131)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:102)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:73)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:981)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:929)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
>      [java]     - locked <0x26dbc988> (a 
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl)
>      [java]     at 
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
>      [java]     at 
> org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
>      [java]     at 
> org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
>      [java]     at 
> org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
> }}}
> {{{
>   PID COMMAND      %CPU   TIME   #TH #PRTS #MREGS RPRVT  RSHRD  RSIZE  VSIZE
>  8463 top         15.4%  0:02.89   1    18    20   640K   380K  1.10M  27.0M 
>  8462 java       103.0%  1:12.61  12   886   521  60.4M- 82.0M  76.6M-  327M-
> }}}
> This appears to be due to the way in which we initialize cipher suites in the 
> CxfJettySslSocketConnector, and we should revisit this to defend against this 
> sort of thing from happening.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to