Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-320

ModCluster http_cping_cpong does not properly shutdown ssl/tls communication

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • httpd 2.4.23 GA
    • httpd
    • None
    • 24
    • ?
    • Hide

      Configure mod_cluster to use https.
      Start up EAP and httpd.
      Await STATUS and cping/cpong process to begin.
      Make sure you have -Djavax.net.debug=ssl,handshake enabled in EAP to see the missing close_notify (or you can use wireshark/tcpdump)

      Show
      Configure mod_cluster to use https. Start up EAP and httpd. Await STATUS and cping/cpong process to begin. Make sure you have -Djavax.net.debug=ssl,handshake enabled in EAP to see the missing close_notify (or you can use wireshark/tcpdump)

      When mod_cluster is configured to proxy to an https connector in EAP, the http_cping_cpong connections do not get closed properly:

      httpd logging:

      [Mon Mar 27 15:18:42.790858 2017] [ssl:debug] [pid 6614] ssl_engine_kernel.c(2042): [remote 127.0.0.1:8443] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Mon Mar 27 15:18:42.795092 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1241): http_cping_cpong: received HTTP/1.0 200 OK
[Mon Mar 27 15:18:42.795114 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1241): http_cping_cpong: received Connection: close
[Mon Mar 27 15:18:42.795118 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1241): http_cping_cpong: received X-Powered-By: Undertow/1
[Mon Mar 27 15:18:42.795121 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1241): http_cping_cpong: received Server: JBoss-EAP/7
[Mon Mar 27 15:18:42.795124 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1241): http_cping_cpong: received Content-Length: 0
[Mon Mar 27 15:18:42.795127 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1241): http_cping_cpong: received Date: Mon, 27 Mar 2017 19:18:42 GMT
[Mon Mar 27 15:18:42.795130 2017] [:debug] [pid 6614] mod_proxy_cluster.c(1258): http_cping_cpong: Done
[Mon Mar 27 15:18:42.795134 2017] [proxy:debug] [pid 6614] proxy_util.c(2171): AH00943: https: has released connection for (127.0.0.1)

      EAP logging:

      15:18:42,795 INFO  [io.undertow.request.dump] (default I/O-8) 
----------------------------REQUEST---------------------------
               URI=*
 characterEncoding=null
     contentLength=-1
       contentType=null
            header=X-Forwarded-Proto=https
            header=X-Forwarded-Port=443
            header=User-Agent=Apache/2.4.23 (Red Hat) (internal mod_cluster connection)
            header=X-Forwarded-Host=test
            locale=[]
            method=OPTIONS
          protocol=HTTP/1.0
       queryString=
        remoteAddr=/127.0.0.1:51242
        remoteHost=localhost.localdomain
            scheme=https
              host=null
        serverPort=8443
--------------------------RESPONSE--------------------------
     contentLength=0
       contentType=null
            header=Connection=close
            header=X-Powered-By=Undertow/1
            header=Server=JBoss-EAP/7
            header=Content-Length=0
            header=Date=Mon, 27 Mar 2017 19:18:42 GMT
            status=200
==============================================================
15:18:42,796 INFO  [stdout] (default I/O-8) default I/O-8, called closeInbound()
15:18:42,796 INFO  [stdout] (default I/O-8) default I/O-8, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
15:18:42,796 INFO  [stdout] (default I/O-8) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
15:18:42,796 INFO  [stdout] (default I/O-8) %% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
15:18:42,797 INFO  [stdout] (default I/O-8) default I/O-8, SEND TLSv1.2 ALERT:  fatal, description = internal_error
15:18:42,797 INFO  [stdout] (default I/O-8) default I/O-8, Exception sending alert: java.io.IOException: writer side was already closed.
15:18:42,797 INFO  [stdout] (default I/O-8) default I/O-8, called closeInbound()
15:18:42,797 INFO  [stdout] (default I/O-8) default I/O-8, closeInboundInternal()

              rhn-engineering-jclere Jean-Frederic Clere
              rhn-support-rbost Robert Bost
              Karel Ramis Karel Ramis
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: