-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 George,
On 10/16/19 12:55, George Stanchev wrote: > > On 15/10/2019 22:15, George Stanchev wrote: >> Hi, >> >> I would need some help with tracking an issue with TC 8.5.47 >> (windows x64, java: azul 1.8.0_222) configured with [1] and >> tcnative-1.dll. When a simple client tries to connect to the >> server, the server hangs on SSL handshake until either the client >> times out on read or the server times out (if I set the >> HttpsURLConnection#setConnectTimeout(0) and >> ...#setReadTimeout(0)). I have enabled the client side SSL trace >> and everything goes well until ECDH key exchange (for brevity I >> have enabled only one TLS suite >> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"). I can provide the debug >> logs if requested. The cacerts we use is whatever comes with >> Azul's Java distro which has ~150 entries + the custom cert for >> testing. The issue comes from how the connector deals with >> trusted certs because if I reduce the cacerts to contain only the >> test certificate, the request is being served without an issue. >> Also if I remove the tcnative-1.dll from TC there is no issue >> either. >> >> Perhaps I am missing something. Any help is appreciated. > > <Mark wrote> This sounds like it is repeatable and that you have a > system you can test with. On that basis here are a few things to > try: > > 1. Take a 3 thread dumps ~5s apart of the Tomcat process when TLS > handshake is hanging. > > 2. Try a binary search to try and determine if the issue is the > number of certificates in the trust store or is caused by a > specific certificate. > > It sounds like there might be an issue converting one or more of > the trusted certs in the trust store to a format OpenSSL can work > with. > > </Mark wrote> > > So the thread dumps didn't prove to be very useful - at least I > couldn't see anything. Me, either. Can you try again using: pollerThreadCount="1" and acceptorThreadCount="1" on your <Connector> to see if that changes anything? Do you notice a spike in CPU when the connection hangs? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2nbIYACgkQHPApP6U8 pFguXQ//cFd9lOb665cZRC68AB/0p869DBPRN9Cie8EALUgHicYSdEiRCWAUofuJ MZx8/Sds3mrB965nmfcNLWRQBBkDqVRrN39yqOMumAZeohZq9phUbGT8chsdHD8C tI8T96bEvKIlOtHoWK9qIYoEKZQ0nKotc0Rz49xZXTNmHmIred4nmR5fCQG4R5qD xoqXOo5wui3aN7y9VBk+sWBQh0HGpOXvGAHaQ2NbSKE6VTitiiEM92n6Dkz60wnG QbK2KrflW5E36NdVwNvFkqR/H3WVCrABBJ6puGHAL3nmlhg/n+MTpyqd7nkg1WSU j1U+hqxN4EHPlTcBUtaeb6DriwaQUIHNMH3h0J8H/UyfvoIRVPA570LF5Cycj7oK zlVgVmsZIZjIzt+qP6xzKkvhXzPLpemIOheDOZO4opgPdHIXGPAI9XVzwrARxMfv KeqyA16XrU6pM7GKvkDEnSDiMye/pPGbq/U3mnYdlRs4Lwn9PvmnzBasSXbrsg6i qeU1v6lSWPx18/9Qq1Qyfjxfgu3SkBpvHypwdv3MNMBk6Y2Gp/pg917FyqfNvoxX l0TaIYYf5xL6bHsxj1uopUoCnl4KxaTAaQ3qYg4+hFO3nzDNTB1k+Xu+pbuePr3U CyaIdmM3sqN7fNIwbfQ1slXrckavl+z/ZZmTZn2zIfa1yeMmP4s= =vkfG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
