Hi,
I would need some help with tracking an issue with TC 8.5.47 (windows x64,
java: azul 1.8.0_222) configured with [1] and tcnative-1.dll. When a simple
client tries to connect to the server, the server hangs on SSL handshake until
either the client times out on read or the server times out (if I set the
HttpsURLConnection#setConnectTimeout(0) and ...#setReadTimeout(0)). I have
enabled the client side SSL trace and everything goes well until ECDH key
exchange (for brevity I have enabled only one TLS suite
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"). I can provide the debug logs if
requested. The cacerts we use is whatever comes with Azul's Java distro which
has ~150 entries + the custom cert for testing. The issue comes from how the
connector deals with trusted certs because if I reduce the cacerts to contain
only the test certificate, the request is being served without an issue. Also
if I remove the tcnative-1.dll from TC there is no issue either.
Perhaps I am missing something. Any help is appreciated.
George
[1]
<Connector
port="8443" SSLEnabled="true" maxHttpHeaderSize="8192"
maxThreads="150" acceptCount="100" enableLookups="false"
disableUploadTimeout="true"
scheme="https" secure="true" clientAuth="true" sslProtocol="TLS"
sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreType="JKS"
keystoreFile="${server.conf.dir}/serena.keystore" keystorePass="changeit"
keyAlias="jboss" URIEncoding="UTF-8" useServerCipherSuitesOrder="true"
ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" />
