Bug 60030 - Run away CPU with JSSE / OpenSSL with IE8
Summary: Run away CPU with JSSE / OpenSSL with IE8
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.3
Hardware: PC Linux
: P2 major (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-22 17:12 UTC by csyperski
Modified: 2016-08-24 10:27 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description csyperski 2016-08-22 17:12:22 UTC
Tomcat: 8.5.3
OS: Ubuntu 16.04 (64-bit)
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)


JSSE implementation that uses OpenSSL seems to have an issue where a request from Internet Explorer 8.x can cause a large portion of the CPU to be consumed until tomcat restart.  

Steps to replicate:

1.  On Ubuntu 16.04, download and extract 8.5.3.  
2.  Modify the conf/server.xml and add the following connector for SSL configuration:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" maxThreads="750" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="xxx.pem"
certificateFile="xxx.pem"
certificateChainFile="xxx.pem"
type="RSA" />
</SSLHostConfig>
</Connector>

3. Start tomcat and navigate using IE8 or IE8 on http://netrenderer.com/index.php to:
https://x.x.x.x:8443/manager/html
 

Result:
The CPU hangs at around 70%-100% on a single core until tomcat is started.  

Expected:
The page should be rendered without a high CPU load.  

This is worrying due to the ease of exploitation and large, persistent consumption of resources.  We have tested and replicated using Let's Encrypt and a GoDaddy wildcard ssl cert on multiple machines.  I would suspect this is due to a combination of older ciphers used on IE8.
Comment 1 Remy Maucherat 2016-08-23 16:32:52 UTC
I had missed the thread dump: http://pastebin.com/n9Rkybwv

This is not using OpenSSL actually, just plain JSSE with OpenSSL PEMs (thread names are "https-jsse-nio-8443-*", if it was using OpenSSL it would be "https-openssl-nio-8443-*").
Like Christopher, I don't see any problem thread that would be using CPU in the dump. Everything seems to be doing nothing and there are a few threads polling as they should.

So when you're using a keystore for your certificate, you're not running into this issue ?
Comment 2 csyperski 2016-08-23 16:51:17 UTC
I was able to reproduce this on multiple machines (all Ubuntu; all oracle Java 8) using 8.5.3 and I tried two certs and it always caused the high CPU consumption.  Yes, I had the same issue after converting to a keystore as well.  I tried the same exact setup on 8.0.36 and everything worked as expected.  For the time being, I've rolled back to 8.0.36, but would be more than happy to provide any additional information, as it is simple to replicate.
Comment 3 Mark Thomas 2016-08-24 10:27:14 UTC
This has been fixed in the following branches:
- 9.0.x for 9.0.0.M10 onwards
- 8.5.x for 8.5.5 onwards

8.0.x and earlier are not affected as they do not support SNI.