[
https://issues.apache.org/jira/browse/HTTPCLIENT-2328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zoe Wang updated HTTPCLIENT-2328:
---------------------------------
Description:
If a server with TLS 1.3 support closes the connection during the request, more
specifically, sending close_notify while the client is still writing to socket,
the request will hang indefinitely. It's not an issue with TLS 1.2 because it
uses duplex-close policy. With TLS 1.3's half-closed connection policy, it
seems Apache HTTP client is not able to detect connection closure properly. We
are able to reproduce the issue with both 4.x and 5.x. I should note that HTTP
URL connection does not have this issue.
The workaround it to set `jdk.tls.acknowledgeCloseNotify` to true (see
[https://bugs.openjdk.org/browse/JDK-8208526]), but that would require a lot of
users to make changes on their side.
Steps to repro:
* Download the attached keystore file
* Update ksPath in the server code HalfCloseServer.java to where you download
the keystore
* Run the server, the server will begin listening on {{localhost:8081}}
* Create a random file of size 128MB and update client code "testFile" to
where the file is.
* Run the client, it should hang
** If System.setProperty("jdk.tls.acknowledgeCloseNotify", "true") is
uncommented, it will not hang
** It also won’t hang if we we force TLS1.2
was:
If a server with TLS 1.3 support closes the connection during the request, more
specifically, sending close_notify while the client is still writing to socket,
the request will hang indefinitely. It's not an issue with TLS 1.2 because it
uses duplex-close policy. With TLS 1.3's half-closed connection policy, it
seems Apache HTTP client is not able to detect connection closure properly. We
are able to reproduce the issue with both 4.x and 5.x. I should note that HTTP
URL connection does not have this issue.
The workaround it to set `jdk.tls.acknowledgeCloseNotify` to true (see
https://bugs.openjdk.org/browse/JDK-8208526), but that would require a lot of
users to make changes on their side.
Steps to repro:
* Download the attached keystore file
* Update ksPath in the server code HalfCloseServer.java to where you download
the keystore
* Run the server, the server will begin listening on {{localhost:8081}}
* Create a random file of size 128MB and update client code `testFile` to
where the file is.
* Run the client, it should hang
* If System.setProperty("jdk.tls.acknowledgeCloseNotify", "true") is
uncommented, it will not hang
* It also won’t hang if we we force TLS1.2
> Request hangs if TLS 1.3 connection is half-closed
> ---------------------------------------------------
>
> Key: HTTPCLIENT-2328
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2328
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.14, 5.3.1
> Reporter: Zoe Wang
> Priority: Major
> Attachments: HalfCloseApache5Client.Java, HalfCloseServer.java,
> TlsHalfCloseApache4.java, keystore.jks
>
>
> If a server with TLS 1.3 support closes the connection during the request,
> more specifically, sending close_notify while the client is still writing to
> socket, the request will hang indefinitely. It's not an issue with TLS 1.2
> because it uses duplex-close policy. With TLS 1.3's half-closed connection
> policy, it seems Apache HTTP client is not able to detect connection closure
> properly. We are able to reproduce the issue with both 4.x and 5.x. I should
> note that HTTP URL connection does not have this issue.
> The workaround it to set `jdk.tls.acknowledgeCloseNotify` to true (see
> [https://bugs.openjdk.org/browse/JDK-8208526]), but that would require a lot
> of users to make changes on their side.
>
> Steps to repro:
> * Download the attached keystore file
> * Update ksPath in the server code HalfCloseServer.java to where you
> download the keystore
> * Run the server, the server will begin listening on {{localhost:8081}}
> * Create a random file of size 128MB and update client code "testFile" to
> where the file is.
> * Run the client, it should hang
> ** If System.setProperty("jdk.tls.acknowledgeCloseNotify", "true") is
> uncommented, it will not hang
> ** It also won’t hang if we we force TLS1.2
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
