SSL Connection Leak #3038
Comments
|
Jetty 9.4.12.v20180830 is the latest codebase and has hundreds of bug fixes over 9.4.9. Jetty 9.4.8 is vulnerable to multiple CVEs, we do not recommend running that version. |
|
We tested 9.4.12, but unfortunately, it still has the same issue |
|
@wufei2016 we have had other reports of this kind, and all of them turned out to not be a Jetty problem. If you can reproduce the issue, please attach a reproducible project for us to replicate. Attach also a JVM thread dump and a server dump, so that we can analyze the situation. |
|
@wufei2016 any update? do you have a reproduction case? or a server dump that we can analyze? |
|
I can provide the jetty log file if it helps. The dump file is too big. it is about 20G. |
|
@wufei2016 I doubt the server dump file is 20G. We're not asking for the heap dump, but the server dump which is a text file easily compressible. |
|
@wufei2016 please follow the link that @sbordet provided on how to collect a Jetty server dump. |
|
Here is the Jetty server dump: |
|
The server dump shows 1046 connections that you have configured with a quite long idle timeout, 5 minutes. 998 of them are in TLS It is as if after the first request they are trying to close the connection and write the TLS I see you are using FIPS What exact JVM version and vendor are you using? |
|
FIPSSslContextFactory is a wrapper which overrides getKeyManagers to workaround FIPS mode issue. Here is JVM info: We also tested it on oracle jdk 1.8.0_181 and oracle jdk 1.8.0_151, we got same result. |
|
@wufei2016 what we see from the server dump is strange, but I have no idea how that situation could possibly be generated. |
|
Here is the debug log and network trace: |
|
Thanks, we have been able to reproduce the issue. |
First pass at fixing the issue by forcing input shutdown on the raw EndPoint when SslConnection reads the close_notify TLS message. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Try to read -1 normally on TLS close before forcing shutdown input When HTTP/1 is completed, shutdown output if the input is shutdown Signed-off-by: Greg Wilkins <gregw@webtide.com>
|
There is definitely something strange going on. The current fixes in the branch do make it better, but it is still not perfect. Thus I don't think we've fully understood the hole in selection/closing after such request handling. More analysis needed but confident we've got a good reproduction now so we'll have a good fix next week. |
Fixed SSL spin caused when fill had NEED_WRAP, but a flush/wrap produced 0 bytes and stayed in NEED_WRAP Removed check of isInputShutdown prior to filling that allowed EOF to overtake data already read. Reverted prior fix for SSL leak Alternate fix for leak by shutting down output in HttpConnection if filled -1 and the HttpChannelState was no longer processing current request. Signed-off-by: Greg Wilkins <gregw@webtide.com>
Extra test for chunked input Cleaned up after some review Signed-off-by: Greg Wilkins <gregw@webtide.com>
turn off debug Signed-off-by: Greg Wilkins <gregw@webtide.com>
Change to HttpParser made content and contentComplete events non separable. Updated HttpClient to cope. Signed-off-by: Greg Wilkins <gregw@webtide.com>
Ensure content state reset before resuming Signed-off-by: Greg Wilkins <gregw@webtide.com>
|
The problem was that if there was unconsumed input AND an EOF after a persistent request, then the consumeAll method would consume both the content and the EOF before recycling the request. The EOF was then seen in END state rather than in start state, so an earlyEOF event was not generated. This was compounded by end-chunk and TLS close handshakes looking like unconsumed input if the servlet had not read the -1. |
Issue #3038 - SSL connection leak. Fixed SSL spin caused when fill had NEED_WRAP, but a flush/wrap produced 0 bytes and stayed in NEED_WRAP Removed check of isInputShutdown prior to filling that allowed EOF to overtake data already read. Fix for leak by shutting down output in HttpConnection if filled -1 and the HttpChannelState was no longer processing current request. Signed-off-by: Simone Bordet <simone.bordet@gmail.com> Signed-off-by: Greg Wilkins <gregw@webtide.com>
Don't call handleContentMessage after content call if the content call returns true. This is a slight bending of the parser contract to work around the current client interpretation that a true return will prevent other events from being delivered. Signed-off-by: Greg Wilkins <gregw@webtide.com>
|
The previous fix broke the proxy, so 041e8fd is an alternative fix that makes the MessageComplete event separable from the last Content event. |
|
I can reproduce this issue on 9.4.15 with TLS backed by conscrypt. Even if To reproduce, start an https server and create some load with tools like |
We recently upgraded to 9.4.9.v20180320, we observed that there are about 200000 unclosed jetty connections for running 12 hours and the cpu usage become higher and higher during the test.
After a few days investigation, I think this should be a regression for "HTTP Close #1832 #2338". It works without any issue if we switch to 9.4.8.v20180619
The text was updated successfully, but these errors were encountered: