Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Tomcat 9 - Fatal error and crash (maybe ssl related) |
|
Author |
|
DavideBocca
Joined: 24 May 2024 Posts: 1
|
Posted: Fri 24 May '24 16:47 Post subject: Tomcat 9 - Fatal error and crash (maybe ssl related) |
|
|
Hi guys ,
we have some tomcats 9.0.35 crashing, it seems during login process.
The dump log (https://hastebin.com/share/ucecipukuz.makefile) shows the https-openssl-nio-443-exec-1 as current thread so i guess it should be something on that side, following the connector configuration
Code: | <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="8192"
maxThreads="150" SSLEnabled="true" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="${container.keystoreFile}" keystorePass="${container.keystorePass}" /> |
Here (https://hastebin.com/share/pozufegama.yaml) you can see the catalina log (crash occured @08:43).
I'm trying to check on the logs but i'm not the original developer so it's not so easy to find useful info, i just found this one which seems to be interesting
Code: | 2024-05-24 08:43:20,765 INFO [https-openssl-nio-443-exec-5] (DetailedDelegatingAuthenticationProvider.java:23) - Authentication attempt with 'authentication-provider-administrator' for user 'DB2ADMIN' successed! |
I've also the mdmp file but i don't really know what it could be useful for the investigation, if someone could guide me i can post the data that could help.
Can someone help me trying to understand what's going on?
Thanks!
Davide |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 346 Location: UK
|
Posted: Mon 27 May '24 20:02 Post subject: |
|
|
Looking at your Catalina log file, I note the SSL version in your Tomcat is OpenSSL 1.1.1g [21 Apr 2020]. This is somewhat behind the curve, and highlights the problem of having your application server manage secure client connections. So rather than trying to solve the crashing thread problem, I'd suggest going round it.
Far better would be to decouple the client connection front end using a separate instance of Apache Web Server, managing the secure front end, and then proxy the connection requests to Tomcat. If Apache is configured on the same host or a local network, you could use AJP rather than HTTP(S) to connect to Tomcat, which should also improve the performance.
I accept that going down this route does entail installing and setting up Apache, but would suggest there are many benefits to be had in the long term. At the time of writing, the 2.4.59 release of Apache on this site is built with OpenSSL 3.1.5.
A concept Apache configuration (initially on say port 8443) might include:
Code: |
<VirtualHost *:8443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privatekey.pem
# Proxy requests for /objfin location to local Tomcat using AJP on port 8009.
#
<Location /objfin>
ProxyPass ajp://localhost:8009/objfin
ProxyPassReverse ajp://localhost:8009/objfin
ProxyPassReverseCookiePath / /
</Location>
</VirtualHost>
|
Should you choose to go down this route, there are a number of posts on this site relating to proxy connections with Tomcat which should help, as well as other worked examples out there on the net. |
|
Back to top |
|
|
|
|
|
|