Re: AW: Tomcat 10 with Http2 and compression sometimes closes connection with Firefox
On 27/06/2022 21:49, Thomas Hoffmann (Speed4Trade GmbH) wrote: Von: Mark Thomas On 26/06/2022 15:59, Thomas Hoffmann (Speed4Trade GmbH) wrote: Problem: When opening a webpage at a new Tab, Firefox sometimes doesn't load the full page from Tomcat 10 Observation / Circumstances: - Doesn't happen with Tomcat 9 (tested up to 9.0.64) - Problem showed up after upgrading from Tomcat 9.0.56 to 10.0.16 - Tomcat 10.0.16 also showed a stacktrace in the logfile 07-Mar-2022 07:24:01.780 SCHWERWIEGEND [https-openssl-nio-443- exec-21] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet [jsp] threw exception java.lang.IllegalStateException: Connection [66], Stream [113], Unable to write to stream once it has been closed at org.apache.coyote.http2.Stream$StreamOutputBuffer.doWrite(Stream.java: 843) - The stack is probably related but not the cause of the issue - The stacktrace was not logged any more with Tomcat 10.0.18 (but problem stayed) - The problem only occurs with HTTP2 - It also only occurs when http compression is activated (compression="force" or "on") - a provided debug-log of HTTP2 (loglevel FINE) didn't narrow down the issue This week I found time for digging down into the rabbit hole and also was able to create an almost static application. I did several network traces and it followed the following scheme: 1) Main page was requested by Firefox from Tomcat (GET ...) 2) Tomcat sends the first compressed chunks of data to the browser 3) Firefox reads the first packages and notices, that additional resources are needed (CSS, JS ...) 4) While Tomcat is still sending the main page in chunks, the browser is already requesting additional resources on other channels 5) Firefox is sending a RST_STREAM and closes that last requested stream(s) (dunno why it does request first and then closes the channel) 6) Tomcat is sending a GoAway message to the browser 7) Tomcat stops also sending the main page (on a different channel) Shouldn't tomcat just close the requested stream and continue serving the other stream(s)? Looks like Tomcat got upset and also closed the other stream :) Pcap-file is available at https://privfile.com/download.php?fid=62b8721f9f29a-MTM1NTk= for around 2 weeks. I could also provide an almost static app which relatively often shows this issue (after several trials). As it contains some internal CI and stuff, I could sent it to a personal address. I tested with Win10 and Win11, FF 101, Tomcat 10.0.16 I am currently working on some HTTP/2 test failures that might be relevant. Can you re-test with this additional attribute set on the Connector element: useAsyncIO="false" Hello Mark, despite this setting, the problem can still be reproduced. My connector looked like: Maybe the wireshark trace above can provide some hints or ideas. If I can test something else or if I should send you the sample app, just drop a line. I think I'm going to need the sample app to investigate this. ma...@apache.org Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat freezes with axios
Hi, We need more information to help you. Tomcat version? Tomcat connector configuration (from server.xml)? httpd version? httpd MPM and configuration? mod_proxy configuration? Was the httpd restart graceful or not? Mark On 29/06/2022 19:36, Stephane Passignat wrote: Hello, I'm creating a SAP application performing REST call on an API running on Tomcat. Tomcat runs behind an apache reverse-proxy and communication between them use http. The calls are executed with axios using a basic authentication. Everything runs fine for a moment, but for an unknown reason all http request are hanging after some time and hundreds or maybe thousands requests (if these metrics make any sense). In chrome, the requests are in a 'pending' status. Restarting chrome allows to do one or two requests and then issue occurs again Restarting apache doesn't change anything. Restarting Tomcat resolve the situation. Tomcat shutdow is a bit longer. Request in chrome ends when tomcat stops. I'm not very inspired by this issue and actually trying to find inspiration in jmx and log files but nothing pops up. Does someone have an idea ? thanks Stephane - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Tomcat freezes with axios
Hello Stephane, > Von: Stephane Passignat > Gesendet: Mittwoch, 29. Juni 2022 20:36 > An: users@tomcat.apache.org > Betreff: Tomcat freezes with axios > > Hello, > > I'm creating a SAP application performing REST call on an API running on > Tomcat. Tomcat runs behind an apache reverse-proxy and communication > between them use http. The calls are executed with axios using a basic > authentication. > > > Everything runs fine for a moment, but for an unknown reason all http > request are hanging after some time and hundreds or maybe thousands > requests (if these metrics make any sense). > > > In chrome, the requests are in a 'pending' status. > > Restarting chrome allows to do one or two requests and then issue occurs > again > > Restarting apache doesn't change anything. > > Restarting Tomcat resolve the situation. Tomcat shutdow is a bit longer. > Request in chrome ends when tomcat stops. > > > I'm not very inspired by this issue and actually trying to find > inspiration in jmx and log files but nothing pops up. > > > Does someone have an idea ? > > > > thanks > > Stephane It looks like some processes are blocking and using up all http-threads till no thread is available to take further connections. I would recommend to take one or more stacktraces of the java process to check for blocking threads. You can use jstack from the console or use kill -3 (linux). Another option is to use jvisualvm if you configured a jmx remote port. After connecting to the java process there is a button to take a stack from the process. Look for threads which holds locks or are blocked by locks. Sometimes it'S helpful to compare several stacks taken at different times. Greetings, Thomas
Tomcat freezes with axios
Hello, I'm creating a SAP application performing REST call on an API running on Tomcat. Tomcat runs behind an apache reverse-proxy and communication between them use http. The calls are executed with axios using a basic authentication. Everything runs fine for a moment, but for an unknown reason all http request are hanging after some time and hundreds or maybe thousands requests (if these metrics make any sense). In chrome, the requests are in a 'pending' status. Restarting chrome allows to do one or two requests and then issue occurs again Restarting apache doesn't change anything. Restarting Tomcat resolve the situation. Tomcat shutdow is a bit longer. Request in chrome ends when tomcat stops. I'm not very inspired by this issue and actually trying to find inspiration in jmx and log files but nothing pops up. Does someone have an idea ? thanks Stephane - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JS fiddle for generating TLS keys and certs
Jason, On 6/28/22 20:41, Jason Tan wrote: Looks good, Chris. I'll give it a try when I need to generate some keys and cert next. SSL keys and certs concepts sounds logical and easy but generating them is such a pain. No GUI tool to consolidate and perform the lot for self signed. I started using keystore explorer to examine the generated certs and keystore to understand it better. Does KSE not handle self-signed certs? By default, Java's keytool produces self-signed certs, and Keystore Explorer was written to work primarily with Java keystores (I think). It doesn't help things that different app and different app versions may have different security requirements which means old keys and certs no longer work in the newer version. Or work for one app but not a different app. Every product should work with PKCS12 files. Forget JKS and JCEKS. KSE should be able to export to PEM, which is IMO the easiest possible file format to work with. Every product should work with X.509 certs, but some may have different requirements for what they will accept in terms of bit-strength-levels and stuff like that. For example, minting a 512-bit RSA key is not acceptable these days, but it's possible to do. I think you just need to become more familiar with "industry standard" acceptable practices if you are going to be responsible for generating your own keys and certs. My tool tries to make it difficult for you to create garbage. For example, it doesn't allow you to create an RSA key with less than 3072 bits, or an EC key with less than 128 bits. It encourages you to use 4096 / 256 (but should include 384, honestly) because those are fairly forward-looking big-strengths. -chris [1] https://keystore-explorer.org/ -Original Message- From: Christopher Schultz Sent: Wednesday, 29 June 2022 2:44 AM To: Tomcat Users List Subject: JS fiddle for generating TLS keys and certs All, I recently built this into an application at $work and I figured I would give it away for anyone who might get some use out of it. https://jsfiddle.net/ny1egwaz/ It doesn't actually generate a key + cert – nor should you ever trust another site to generate your keys for you!. Instead, it gives you copy/paste commands that you can use to generate those keys + certs on your own computer, and spits them out on standard output you can can install them wherever you need them. Suggestions welcome. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
