Re: Memory leak in the PKCS11 how to fix the problem
Kindly reply for the below mail, Expecting your feedback so that I can take it forward. Thanks & Regards, Raghav On 18/07/20, 6:25 PM, "Ragavendhiran Bhiman (rabhiman)" wrote: The OS is RHEL => 7.6 From: "Ragavendhiran Bhiman (rabhiman)" Date: Saturday, 18 July 2020 at 6:21 PM To: Tomcat Users List Subject: Memory leak in the PKCS11 how to fix the problem From: "Ragavendhiran Bhiman (rabhiman)" Date: Saturday, 18 July 2020 at 6:20 PM To: Tomcat Users List Subject: Memory leak in the PKCS11 how to fix the problem Hello All, I am seeing the memory leaks from tomcat apache in the following SSL path using PKCS11. Attached the flame graph of memory possible memory leaks in this area. Please check the attached flame graph of the memory trace. On simply a long run the memory keep on allocated in these back traces only causing the memory leak, and the polling of the async profiler for more than 6hours shows this clearly. Could you please help how to fix this problem? (open this svg graph in browser only) Note: If C_DestroyObject is not called because of finalizer accumulation is also tested by inducing the gc using the jmap command still could see the memory never gone down after the Full GC collection as well. Expecting your advice on the same. Regards, Raghav Infrastructure engineer, Cisco ISE.
request.getLocatHost() Different with port 80 vs mod_jk
I'm taking Christopher's advice to remove httpd and mod_jk out of my process and go straight to Tomcat on port 80. At this point the only thing I've done is stop the httpd service and change the Connector port to 80. I'm running on my local machine. I have a hosts entry set to "local.a.com 127.0.0.1", and I use the url http://local.a.com to access the site. When I use the old setup with httpd/mod_jk, a call to request.getLocalHost() returns "local.a.com" as expected. After doing nothing but changing to go straight to TC on port 80, getLocalHost() returns 127.0.0.1. request.getRequestURL() still gives me the http://local.a.com. Theoretically, I could change my code to parse getRequestURL() instead of getLocalHost() to get the real host name. But I don't really want to do that without understanding why I'm seeing the change. Is there something else I need to add to the config file when moving to direct port 80 off of mod_jk? Ideas? BTW... I'm on TC 9.0.16. Thanks. Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 17/07/2020 21:47, James H. H. Lampert wrote: > Running two connectors seems to work just fine, but I'm having trouble > getting one of them to only take TLS 1.2 > > In reply to my query: > >>> Given all this, is it possible to (1) have Tomcat listen on two separate >>> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the >>> other accept something our AS/400 can use? > > On 7/17/20 10:03 AM, Mark Thomas wrote: > >> Yes. You need two Connector elements specifying different ports and >> different protocols. They should be able to use the same certificate >> configuration. > > I just ran a test on our development Amazon EC2 instance, and verified > that I could listen on two different ports (existing 8443 and now 7443), > and I limited (or so I thought) 8443 (to which I have 443 rerouted > through iptables) to TLS 1.2. > > Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! > > I commented out the connector for 8443 and restarted Tomcat, but it's > still giving the same report from SSLLabs. > > The connector for 8443 in server.xml looks like this (lines truncated): >> > keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >> clientAuth="false" sslProtocol="TLSv1.2" /> > > The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 > installation on our most security-conscious customer's AS/400; this > Tomcat is 8.5. Am I specifying it wrong? I should probably remind myself why this is the way this is. You want: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" And to answer my question above, because that is the way the JSSE API has been written. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Memory leak in the PKCS11 how to fix the problem
The OS is RHEL => 7.6 From: "Ragavendhiran Bhiman (rabhiman)" Date: Saturday, 18 July 2020 at 6:21 PM To: Tomcat Users List Subject: Memory leak in the PKCS11 how to fix the problem From: "Ragavendhiran Bhiman (rabhiman)" Date: Saturday, 18 July 2020 at 6:20 PM To: Tomcat Users List Subject: Memory leak in the PKCS11 how to fix the problem Hello All, I am seeing the memory leaks from tomcat apache in the following SSL path using PKCS11. Attached the flame graph of memory possible memory leaks in this area. Please check the attached flame graph of the memory trace. On simply a long run the memory keep on allocated in these back traces only causing the memory leak, and the polling of the async profiler for more than 6hours shows this clearly. Could you please help how to fix this problem? (open this svg graph in browser only) Note: If C_DestroyObject is not called because of finalizer accumulation is also tested by inducing the gc using the jmap command still could see the memory never gone down after the Full GC collection as well. Expecting your advice on the same. Regards, Raghav Infrastructure engineer, Cisco ISE.