https://bz.apache.org/bugzilla/show_bug.cgi?id=63571
Bug ID: 63571
Summary: The SSL sessionCacheSize config overwrites
javax.net.ssl.sessionCacheSize
Product: Tomcat 9
Version: 9.0.x
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: yor...@gmail.com
Target Milestone: -----
In JDK bug https://bugs.openjdk.java.net/browse/JDK-8213577 , it clearly
mentioned that setting the SSL session cache size to indefinite is dangerous
and could cause serious memory leak issue. I have seen a couple of cases in my
company. The fix has updated the default value from 0 (indefinite) to 20480.
This has also been backported to JDK8
https://bugs.openjdk.java.net/browse/JDK-8213577 .
However, the default value in Tomcat is still 0. Also, when it set the value,
it does not consider whether the a different value has been set in JDK for
JSSE. JDK allow users to use the system property javax.net.ssl.sessionCacheSize
to set it as well. At the moment, Tomcat would overwrite both the JDK default
value and also javax.net.ssl.sessionCacheSize. This basically reversed the fix
in JDK.
There could be a couple of ways to fix this. I would suggest:
- change the default value in Tomcat for sessionCacheSize to 20480, which is
the same as the JDK fix.
- unless the Tomcat user explicitly set sessionCacheSize to a different value,
it should not try to call SSLSessionContext.setSessionCacheSize to change it,
since it could overwrite the configuration user set via
javax.net.ssl.sessionCacheSize.
Tomcat 7 and 8 have the same issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
