Tomcat: 8.5.3 OS: Ubuntu 16.04 (64-bit) java version "1.8.0_101" Java(TM) SE Runtime Environment (build 1.8.0_101-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode) JSSE implementation that uses OpenSSL seems to have an issue where a request from Internet Explorer 8.x can cause a large portion of the CPU to be consumed until tomcat restart. Steps to replicate: 1. On Ubuntu 16.04, download and extract 8.5.3. 2. Modify the conf/server.xml and add the following connector for SSL configuration: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" maxThreads="750" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeyFile="xxx.pem" certificateFile="xxx.pem" certificateChainFile="xxx.pem" type="RSA" /> </SSLHostConfig> </Connector> 3. Start tomcat and navigate using IE8 or IE8 on http://netrenderer.com/index.php to: https://x.x.x.x:8443/manager/html Result: The CPU hangs at around 70%-100% on a single core until tomcat is started. Expected: The page should be rendered without a high CPU load. This is worrying due to the ease of exploitation and large, persistent consumption of resources. We have tested and replicated using Let's Encrypt and a GoDaddy wildcard ssl cert on multiple machines. I would suspect this is due to a combination of older ciphers used on IE8.
I had missed the thread dump: http://pastebin.com/n9Rkybwv This is not using OpenSSL actually, just plain JSSE with OpenSSL PEMs (thread names are "https-jsse-nio-8443-*", if it was using OpenSSL it would be "https-openssl-nio-8443-*"). Like Christopher, I don't see any problem thread that would be using CPU in the dump. Everything seems to be doing nothing and there are a few threads polling as they should. So when you're using a keystore for your certificate, you're not running into this issue ?
I was able to reproduce this on multiple machines (all Ubuntu; all oracle Java 8) using 8.5.3 and I tried two certs and it always caused the high CPU consumption. Yes, I had the same issue after converting to a keystore as well. I tried the same exact setup on 8.0.36 and everything worked as expected. For the time being, I've rolled back to 8.0.36, but would be more than happy to provide any additional information, as it is simple to replicate.
This has been fixed in the following branches: - 9.0.x for 9.0.0.M10 onwards - 8.5.x for 8.5.5 onwards 8.0.x and earlier are not affected as they do not support SNI.
*** Bug 61089 has been marked as a duplicate of this bug. ***