我使用tomcat 8.5.4在端口443上构建基于https的服务器,如下所示:
94 <Connector 95 protocol="org.apache.coyote.http11.Http11NioProtocol" 96 port="8000" maxThreads="200" 97 scheme="https" secure="true" SSLEnabled="true" 98 keystoreFile="conf/rs_keystore.jks" keystorePass="ntsdawn" 99 clientAuth="false" sslProtocol="TLS"/>但客户端使用tcp连接8000端口,然后快速关闭tcp连接。 在此之后,在我的服务器中,连接处于CLOSE_WAIT状态,更重要的是,CPU增长并且使用gc触发器快速创建org.apache.tomcat.util.net.TLSClientHelloExtractor对象:
root@nts32:/home/vcloud/apache-tomcat-8.5.4/logs# jmap -histo 14 | head num #instances #bytes class name ---------------------------------------------- 1: 5159655 165108960 java.util.HashMap$Node 2: 9138 131509512 [I 3: 5148446 123562704 java.util.ArrayList 4: 5145501 123492024 java.util.concurrent.LinkedBlockingQueue$Node 5: 5145486 123491664 org.apache.tomcat.util.net.**TLSClientHelloExtractor** 6: 3210008 102720256 java.util.concurrent.locks.AbstractQueuedSynchronizer$Node 7: 2162508 86500320 java.util.HashMap$KeyIterator连接将永远保持在CLOSE_WAIT ....
但是,如果我修改server.xml使用http而不是像这样的https:
70 <Connector port="8000" protocol="org.apache.coyote.http11.Http11NioProtocol" 71 connectionTimeout="20000" 72 redirectPort="8443" />然后一切都好。 TCP连接来了,当客户端发送FIN时,我的服务器会回复FIN。
我的https配置有什么问题吗?
I use tomcat 8.5.4 to build a https based server on port 443 like this:
94 <Connector 95 protocol="org.apache.coyote.http11.Http11NioProtocol" 96 port="8000" maxThreads="200" 97 scheme="https" secure="true" SSLEnabled="true" 98 keystoreFile="conf/rs_keystore.jks" keystorePass="ntsdawn" 99 clientAuth="false" sslProtocol="TLS"/>But a client use tcp to connect the port 8000, and then quickly close the tcp connection. After this, in my server the connection is CLOSE_WAIT status, and more important is, the CPU grows and the org.apache.tomcat.util.net.TLSClientHelloExtractor object was created very fast util the gc trigger:
root@nts32:/home/vcloud/apache-tomcat-8.5.4/logs# jmap -histo 14 | head num #instances #bytes class name ---------------------------------------------- 1: 5159655 165108960 java.util.HashMap$Node 2: 9138 131509512 [I 3: 5148446 123562704 java.util.ArrayList 4: 5145501 123492024 java.util.concurrent.LinkedBlockingQueue$Node 5: 5145486 123491664 org.apache.tomcat.util.net.**TLSClientHelloExtractor** 6: 3210008 102720256 java.util.concurrent.locks.AbstractQueuedSynchronizer$Node 7: 2162508 86500320 java.util.HashMap$KeyIteratorAnd the connection will stay at CLOSE_WAIT forever....
But, if I modify the server.xml use http but not https like this:
70 <Connector port="8000" protocol="org.apache.coyote.http11.Http11NioProtocol" 71 connectionTimeout="20000" 72 redirectPort="8443" />Then every thing is OK. The TCP connect come and my server will reply the FIN when client send the FIN.
Is anything wrong of my https configuration?
最满意答案
在Tomcat 8.5.4中存在一个错误,其中TLS连接在TLS握手完成之前丢弃套接字连接时进入循环。 升级到tomcat 8.5.5或更高版本应该解决这个问题。
以下是错误
https://bz.apache.org/bugzilla/show_bug.cgi?id=60035
There's a bug in tomcat 8.5.4 wherein TLS connections get into a loop when socket connection is dropped before TLS handshake is complete. Upgrading to tomcat 8.5.5 or above should fix this.
Below is the bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=60035
更多推荐
发布评论