https://bz.apache.org/bugzilla/show_bug.cgi?id=60030
Bug ID: 60030
Summary: Run away CPU with JSSE / OpenSSL with IE8
Product: Tomcat 8
Version: 8.5.3
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: csyper...@gmail.com
Tomcat: 8.5.3
OS: Ubuntu 16.04 (64-bit)
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
JSSE implementation that uses OpenSSL seems to have an issue where a request
from Internet Explorer 8.x can cause a large portion of the CPU to be consumed
until tomcat restart.
Steps to replicate:
1. On Ubuntu 16.04, download and extract 8.5.3.
2. Modify the conf/server.xml and add the following connector for SSL
configuration:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" maxThreads="750" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="xxx.pem"
certificateFile="xxx.pem"
certificateChainFile="xxx.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
3. Start tomcat and navigate using IE8 or IE8 on
http://netrenderer.com/index.php to:
https://x.x.x.x:8443/manager/html
Result:
The CPU hangs at around 70%-100% on a single core until tomcat is started.
Expected:
The page should be rendered without a high CPU load.
This is worrying due to the ease of exploitation and large, persistent
consumption of resources. We have tested and replicated using Let's Encrypt
and a GoDaddy wildcard ssl cert on multiple machines. I would suspect this is
due to a combination of older ciphers used on IE8.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
