Home Help Center

Intermittent ssl connection failures (hanging)

gumshoegumshoe Member Gum ShoesOrganization: EnbridgeProject: Enterprise wide IPC framework.
Hi,

I am experiencing intermittent failures when creating ssl connections. The client will hang in the checkedCast() call and pin the CPU. This can be reproduced by creating/destroying 100 connections in succession.

Details:
  • jdk1.6.0_02 (client and server)
  • Ice 3.2.0
  • client host: XP SP2 or Kubuntu 7.04 (x86)
  • server host: debian (x86)

Client Trace:
[ 8/11/07 13:47:58:359 Network: trying to establish ssl connection to 10.70.40.101:10001 ]
[ 8/11/07 13:47:58:359 Network: ssl connection established
  local address = 10.65.230.121:1339
  remote address = 10.70.40.101:10001 ]

Server Trace:
[ 8/11/07 12:46:52:342 Security: enabling SSL ciphersuites:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ]
[ 8/11/07 12:46:52:346 Network: attempting to accept ssl connection
  local address = 10.70.40.101:10001
  remote address = 10.65.230.121:1339 ]
[ 8/11/07 12:46:52:351 Protocol: sending validate connection
  message type = 3 (validate connection)
  compression status = 0 (not compressed; do not compress response, if any)
  message size = 14 ]

At this point the client hangs. Just having a look around in the Eclipse debugger shows the Ice.ConnectionMonitor thread hitting the wait(_interval * 1000); while another thread is on Unsafe.copyMemory(). At this point the Eclipse debugger becomes unresponsive on account of the CPU load.

The same client and server work fine when on the same host or across hosts if tcp instead of ssl is used.

Server config:
EnbRegistry.Endpoints=ssl -p 10001

Ice.Trace.Network=3
Ice.Trace.Protocol=1
IceSSL.Trace.Security=1

Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.ThreadPerConnection=1
IceSSL.DefaultDir=certs
IceSSL.Keystore=server.jks
IceSSL.Password=password
IceSSL.Truststore=certs.jks

Client config:
EnbRegistry.Proxy=EnbRegistry:ssl -p 10001 -h wirelock
LogFeeder.Endpoints=ssl

Ice.ACM.Server=5
Ice.ACM.Client=5

Ice.Trace.Network=3
Ice.Trace.Protocol=1
IceSSL.Trace.Security=1

Ice.Plugin.IceSSL=IceSSL.PluginFactory
Ice.ThreadPerConnection=1
IceSSL.DefaultDir=certs
IceSSL.Keystore=server.jks
IceSSL.Password=password
IceSSL.Truststore=certs.jks

The closest to this I could find in the forums was http://www.zeroc.com/forums/help-center/3150-cant-close-ssl-connection.html.

Thanks.

Comments

  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi Ruedi,

    This looks like the same hang as the one described in this earlier thread.
    We're about to release 3.2.1 which includes the corresponding bug fix.

    Best regards,
    Bernard
  • gumshoegumshoe Member Gum ShoesOrganization: EnbridgeProject: Enterprise wide IPC framework.
    Thanks for the quick reply. Does ZeroC host a bug tracker, JIRA perhaps? Having release notes delivered via PDF seems slightly off, do paying customers get them in another format?
  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Ice 3.2.1 has just been released, and you'll probably like the release notes in plain text format.

    We do not have a publicly accessible bug tracking system. If you need bug fixes in a timely manner, please subscribe to our priority support: see http://www.zeroc.com/support.html. You can subscribe to this priority support independently of your Ice license; some of our priority support customers license Ice under GPL.

    Best regards,
    Bernard
  • gumshoegumshoe Member Gum ShoesOrganization: EnbridgeProject: Enterprise wide IPC framework.
    This may not be the place to discuss this but what are your reasons for not having a public bug tracker, even just read only?

    From the perspective of a techie trying to sell the purchase of Ice to management having a vibrant forum as this is a selling point; having access to a bug tracker that allows for viewing of all issues/features of all releases helps even more. Something akin to Browse Project - jira.codehaus.org perhaps.

    Either way, this beats CORBA so thanks for that.
  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi Ruedi,

    I never imagined a public bug tracking database would be a strong selling point for Ice. Thanks for the suggestion!

    Cheers,
    Bernard
Sign In or Register to comment.