On 27.10.2017 16:55, George S. wrote:
I'm seeing some strange ssl errors. They're not reproducible consistently, and
I think
they're because the PRNG is initializing after the Connector. Here's some log
output:
26-Oct-2017 17:04:08.380 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting
ProtocolHandler ["http-nio-8080"]
26-Oct-2017 17:04:08.429 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting
ProtocolHandler ["https-jsse-nio-443"]
26-Oct-2017 17:04:08.459 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting
ProtocolHandler ["ajp-nio-8009"]
26-Oct-2017 17:04:08.492 INFO [main] org.apache.catalina.startup.Catalina.start
Server
startup in 56903 ms
26-Oct-2017 17:05:16.364 WARNING [localhost-startStop-1]
org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of
SecureRandom instance for session ID generation using [SHA1PRNG] took [118,978]
milliseconds.
If that means actually 118 thousand 978 milliseconds (just shy of 2 minutes), that looks
like a lot. According to the little I have been able to grab while perusing this list,
that would indicate some serious difficulty for that host in generating sufficient entropy.
Maybe time to read the FAQ :
https://wiki.apache.org/tomcat/HowTo/FasterStartUp
Item 3.
The exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown
Source)
Has anyone else seen something like this? The app is making an internal SSL
connection to
another servlet.
That does indeed not seem to make a lot of sense, unless this servlet could possibly be
running on another server.
I don't know why they didn't use a RequestDispatcher and do .include(),
but it's not my code.
Anyhow, am I right that the exception is probably related to the connectors
coming up
before the PRNG?
Tomcat is starting a Connector ["https-jsse-nio-443"], for which I suppose it also needs
entropy. Does the log say when that Connector is actually finished with starting up ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
