[
https://issues.apache.org/jira/browse/HTTPCLIENT-2328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851326#comment-17851326
]
Oleg Kalnichevski commented on HTTPCLIENT-2328:
-----------------------------------------------
[~Zoe Wang] I can reproduce the defect with the following code snippet using
HttpCore. Please note the fix will still require the user to explicitly
configure the client to use `MonitoringResponseOutOfOrderStrategy`.
{code:java}
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial(Paths.get("keystore.jks"), "password".toCharArray())
.build();
HttpRequester requester = RequesterBootstrap.bootstrap()
.setSslContext(sslContext)
.setSslSetupHandler(sslParameters -> {
sslParameters.setProtocols(new String[]{TLS.V_1_3.id});
})
.setConnectionFactory(DefaultBHttpClientConnectionFactory.builder()
.responseOutOfOrderStrategy(MonitoringResponseOutOfOrderStrategy.INSTANCE)
.build())
.create();
HttpHost target = new HttpHost("https", "localhost", 8081);
// It needs to be a large file (128mb)
ClassicHttpRequest request = ClassicRequestBuilder.put("/")
.setHttpHost(target)
.setEntity(new PathEntity(Paths.get("output.dat"),
ContentType.APPLICATION_OCTET_STREAM))
.build();
HttpCoreContext context = HttpCoreContext.create();
try (ClassicHttpResponse response = requester.execute(target, request,
Timeout.ofMinutes(1), context)) {
EntityUtils.consume(response.getEntity());
}
{code}
> Request hangs if TLS 1.3 connection is half-closed
> ---------------------------------------------------
>
> Key: HTTPCLIENT-2328
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2328
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.14, 5.3.1
> Reporter: Zoe Wang
> Priority: Minor
> Fix For: 5.3.2, 5.4-alpha3
>
> Attachments: HalfCloseApache5Client.Java, HalfCloseServer.java,
> TlsHalfCloseApache4.java, keystore.jks
>
>
> If a server with TLS 1.3 support closes the connection during the request,
> more specifically, sending close_notify while the client is still writing to
> socket, the request will hang indefinitely. It's not an issue with TLS 1.2
> because it uses duplex-close policy. With TLS 1.3's half-closed connection
> policy, it seems Apache HTTP client is not able to detect connection closure
> properly. We are able to reproduce the issue with both 4.x and 5.x. I should
> note that HTTP URL connection does not have this issue.
> The workaround it to set `jdk.tls.acknowledgeCloseNotify` to true (see
> [https://bugs.openjdk.org/browse/JDK-8208526]), but that would require a lot
> of users to make changes on their side.
>
> Steps to repro:
> * Download the attached keystore file
> * Update ksPath in the server code HalfCloseServer.java to where you
> download the keystore
> * Run the server, the server will begin listening on {{localhost:8081}}
> * Create a random file of size 128MB and update client code "testFile" to
> where the file is.
> * Run the client, it should hang
> ** If System.setProperty("jdk.tls.acknowledgeCloseNotify", "true") is
> uncommented, it will not hang
> ** It also won’t hang if we we force TLS1.2
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
