-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

George,

On 10/16/19 12:55, George Stanchev wrote:
>
> On 15/10/2019 22:15, George Stanchev wrote:
>> Hi,
>>
>> I would need some help with tracking an issue with TC 8.5.47
>> (windows x64, java: azul 1.8.0_222) configured with [1] and
>> tcnative-1.dll. When a simple client tries to connect to the
>> server, the server hangs on SSL handshake until either the client
>> times out on read or the server times out (if I set the
>> HttpsURLConnection#setConnectTimeout(0) and
>> ...#setReadTimeout(0)). I have enabled the client side SSL trace
>> and everything goes well until ECDH key exchange (for brevity I
>> have enabled only one TLS suite
>> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"). I can provide the debug
>> logs if requested. The cacerts we use is whatever comes with
>> Azul's Java distro which has ~150 entries + the custom cert for
>> testing. The issue comes from how the connector deals with
>> trusted certs because if I reduce the cacerts to contain only the
>> test certificate, the request is being served without an issue.
>> Also if I remove the tcnative-1.dll from TC there is no issue
>> either.
>>
>> Perhaps I am missing something. Any help is appreciated.
>
> <Mark wrote> This sounds like it is repeatable and that you have a
> system you can test with. On that basis here are a few things to
> try:
>
> 1. Take a 3 thread dumps ~5s apart of the Tomcat process when TLS
> handshake is hanging.
>
> 2. Try a binary search to try and determine if the issue is the
> number of certificates in the trust store or is caused by a
> specific certificate.
>
> It sounds like there might be an issue converting one or more of
> the trusted certs in the trust store to a format OpenSSL can work
> with.
>
> </Mark wrote>
>
> So the thread dumps didn't prove to be very useful - at least I
> couldn't see anything.

Me, either.

Can you try again using:

pollerThreadCount="1"
and
acceptorThreadCount="1"

on your <Connector> to see if that changes anything?

Do you notice a spike in CPU when the connection hangs?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2nbIYACgkQHPApP6U8
pFguXQ//cFd9lOb665cZRC68AB/0p869DBPRN9Cie8EALUgHicYSdEiRCWAUofuJ
MZx8/Sds3mrB965nmfcNLWRQBBkDqVRrN39yqOMumAZeohZq9phUbGT8chsdHD8C
tI8T96bEvKIlOtHoWK9qIYoEKZQ0nKotc0Rz49xZXTNmHmIred4nmR5fCQG4R5qD
xoqXOo5wui3aN7y9VBk+sWBQh0HGpOXvGAHaQ2NbSKE6VTitiiEM92n6Dkz60wnG
QbK2KrflW5E36NdVwNvFkqR/H3WVCrABBJ6puGHAL3nmlhg/n+MTpyqd7nkg1WSU
j1U+hqxN4EHPlTcBUtaeb6DriwaQUIHNMH3h0J8H/UyfvoIRVPA570LF5Cycj7oK
zlVgVmsZIZjIzt+qP6xzKkvhXzPLpemIOheDOZO4opgPdHIXGPAI9XVzwrARxMfv
KeqyA16XrU6pM7GKvkDEnSDiMye/pPGbq/U3mnYdlRs4Lwn9PvmnzBasSXbrsg6i
qeU1v6lSWPx18/9Qq1Qyfjxfgu3SkBpvHypwdv3MNMBk6Y2Gp/pg917FyqfNvoxX
l0TaIYYf5xL6bHsxj1uopUoCnl4KxaTAaQ3qYg4+hFO3nzDNTB1k+Xu+pbuePr3U
CyaIdmM3sqN7fNIwbfQ1slXrckavl+z/ZZmTZn2zIfa1yeMmP4s=
=vkfG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to