[
https://issues.apache.org/jira/browse/HTTPCLIENT-2328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851984#comment-17851984
]
Oleg Kalnichevski commented on HTTPCLIENT-2328:
-----------------------------------------------
[~Zoe Wang] Ultimately the fix itself is fairly simple [1]. However it requires
quite a bit of refactoring in the blocking connection and TLS code [2]. For
one, it was no longer possible to use SSL socket auto-close mode and SSL
sockets now must be managed independently from their underling network socket.
This allows for greater control over TLS protocol at the price of greater
complexity.
These changes fix the problem for me locally. The use of
`MonitoringResponseOutOfOrderStrategy` is not necessary.
Please review / test locally/
Oleg
[1
]https://github.com/apache/httpcomponents-core/pull/468/commits/fc093c403ef4cbee9e0c6100fabe5a5e2ff73efc
[2]
[https://github.com/apache/httpcomponents-core/pull/468/commits/3277ffe85c76be0f0c6cefeec4d1b1412d5e256d]
> Request hangs if TLS 1.3 connection is half-closed
> ---------------------------------------------------
>
> Key: HTTPCLIENT-2328
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2328
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.14, 5.3.1
> Reporter: Zoe Wang
> Priority: Minor
> Fix For: 5.3.2, 5.4-alpha3
>
> Attachments: HalfCloseApache5Client.Java, HalfCloseServer.java,
> TlsHalfCloseApache4.java, keystore.jks
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> If a server with TLS 1.3 support closes the connection during the request,
> more specifically, sending close_notify while the client is still writing to
> socket, the request will hang indefinitely. It's not an issue with TLS 1.2
> because it uses duplex-close policy. With TLS 1.3's half-closed connection
> policy, it seems Apache HTTP client is not able to detect connection closure
> properly. We are able to reproduce the issue with both 4.x and 5.x. I should
> note that HTTP URL connection does not have this issue.
> The workaround it to set `jdk.tls.acknowledgeCloseNotify` to true (see
> [https://bugs.openjdk.org/browse/JDK-8208526]), but that would require a lot
> of users to make changes on their side.
>
> Steps to repro:
> * Download the attached keystore file
> * Update ksPath in the server code HalfCloseServer.java to where you
> download the keystore
> * Run the server, the server will begin listening on {{localhost:8081}}
> * Create a random file of size 128MB and update client code "testFile" to
> where the file is.
> * Run the client, it should hang
> ** If System.setProperty("jdk.tls.acknowledgeCloseNotify", "true") is
> uncommented, it will not hang
> ** It also won’t hang if we we force TLS1.2
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
