Bug 63571

Summary: The SSL sessionCacheSize config overwrites javax.net.ssl.sessionCacheSize
Product: Tomcat 7 Reporter: Letu Yang <yoroto>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: trunk   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Letu Yang 2019-07-18 05:23:55 UTC
In JDK bug https://bugs.openjdk.java.net/browse/JDK-8213577 , it clearly mentioned that setting the SSL session cache size to indefinite is dangerous and could cause serious memory leak issue. I have seen a couple of cases in my company. The fix has updated the default value from 0 (indefinite) to 20480. This has also been backported to JDK8 https://bugs.openjdk.java.net/browse/JDK-8213577 .

However, the default value in Tomcat is still 0. Also, when it set the value, it does not consider whether the a different value has been set in JDK for JSSE. JDK allow users to use the system property javax.net.ssl.sessionCacheSize to set it as well. At the moment, Tomcat would overwrite both the JDK default value and also javax.net.ssl.sessionCacheSize. This basically reversed the fix in JDK.

There could be a couple of ways to fix this. I would suggest:
 - change the default value in Tomcat for sessionCacheSize to 20480, which is the same as the JDK fix.
 - unless the Tomcat user explicitly set sessionCacheSize to a different value, it should not try to call SSLSessionContext.setSessionCacheSize to change it, since it could overwrite the configuration user set via javax.net.ssl.sessionCacheSize.

Tomcat 7 and 8 have the same issue.
Comment 1 Christopher Schultz 2019-07-18 13:25:05 UTC
In Tomcat 9, the call to SSLSessionContext.setSessionCacheSize is not made unless the session cache size is > 0 [1]. Since the default is zero0, Tomcat should already be behaving as you describe.

Is it possible that this value is being overwritten in some other way?

[1] https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/SSLUtilBase.java#L260
Comment 2 Letu Yang 2019-07-18 16:45:18 UTC
Hi Christopher,

Thank you for the reply! I should have raised this against Tomcat 7... Please feel free to close it.

https://github.com/apache/tomcat/blob/7.0.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L624
Comment 3 Letu Yang 2019-07-18 16:48:29 UTC
Or shall we fix it in Tomcat 7 as well, making it consistent with 8 and 9?

https://github.com/apache/tomcat/blob/7.0.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L638
Comment 4 Mark Thomas 2019-07-24 16:48:48 UTC
Things aren't quite so clear cut.

The docs for 9.0.x & 8.5.x state that 0 means unlimited but values of 0 are ignored (for session timeout as well).

I propose to align all current Tomcat versions on the following behaviour:

<0 - use implementation default
 0 - implementation defined behaviour for 0 (usually unlimited)
>0 - implementation defined behaviour for >0

This will apply to:
- sessionCacheSize
- sessionTimeout

This is slightly different to other similar values but the JSSE API does not provide a "disable" option.
Comment 5 Letu Yang 2019-07-24 18:17:59 UTC
Mark,

After the JDK fix https://bugs.openjdk.java.net/browse/JDK-8213577 which changed the default value to 20480, if Tomcat does not explicitly set it to 0, the default value won't be unlimited any more. 

Also, as it specified in the JDK bug, it might not be a good idea to set it to unlimited.
Comment 6 Mark Thomas 2019-07-25 10:13:11 UTC
Fixed in:
- master for 9.0.23 onwards
- 8.5.x for 8.5.44 onwards
- 7.0.x for 7.0.97 onwards

For 9.0.x/8.5.x the fix was to permit configuration of unlimited values. The documentation was updated to make clear this is not recommended. Defaults remained unchanged.

For 7.0.x the fix was to switch to using the JSSE implementation provided value by default for session cache size.

The behaviour of all three versions is now aligned with the exception that APR/native does not expose these options in 7.0.x