Re: Tomcat 10.1 Http11NioProtocol with the OpenSSLImplementation does not sent close_notify in response to client's close_notify

Mon, 26 Aug 2024 08:40:37 -0700 

Isaac,

On 8/25/24 13:27, Isaac Klickstein wrote:

Hello Tomcat Users

Tomcat Version: 10.1.28
OpenSSL version: 3.0.14
Tomcat Native Client: 2.0.8


What is the "Tomcat Native Client"?


I have configured an HTTPS connector with the 
org.apache.coyote.http11.Http11NioProtocol protocol and the 
org.apache.tomcat.util.net.openssl.OpenSSLImplementation sslImplementationName 
using TLSv1.2

When I tcpdump any request to this connector, Tomcat is not returning a 
"close_notify" in response to a client's close_notify, and I cannot figure out 
how to force Tomcat to return a close_notify. This seems to be a violation of the TLS 
protocol which demands both sides issue a close_notify.
Careful: both the client and the server are always allowed to be powered-off before they respond to any network stimulus. This is what timeouts are for. TLS cannot place any more requirements on the network peers than TCP has already done. 


Recreating this situation, as far as I can tell, only requires combining the 
Http11NioProtocol with the OpenSSLImplementation (Tomcat9 or Tomcat10, TLSv1.2 
or TLSv1.3, OpenSSL 3.0, 3.1, and 3.2, all exhibit this behavior).
How do you trigger this behavior? Just any request like "curl https://example.com/"; ? 


Other notes, switching the sslImplementationName to 
org.apache.tomcat.util.net.jsse.JSSEImplementation does return a close_notify 
by the server in response to the client's close_notify.

Also, switching back to Tomcat9, and using the 
org.apache.coyote.http11.Http11AprProtocol, Tomcat also returns a close_notify 
in response to a client's close_notify.

I have run out of ideas, googling this behavior has turned up nothing related 
to Tomcat (although there does appear to be a similar behavior noticed in Netty 
also using the OpenSSLEngine https://github.com/netty/netty/issues/6167)

Any help would be greatly appreciated, I am happy to send along any other 
information that would be informational for diagnostics


So...

Tomcat 10.1 + NIO/JSSE+OpenSSLImplementation+tcnative = bad
Tomcat 9.0 + APR+tcnative = good
Tomcat 9.0 + NIO/JSSE+OpenSSLImplementation+tcnative = ?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to