Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8856

outbound ssl sockets do not timeout if the remote does not respond

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.11.4
    • 2.8, 2.8.1, 2.9, 2.9.1, 2.9.2, 2.10, 2.11, 2.11.1, 2.11.2, 2.11.3
    • Transport
    • None
    • 0.5
    • Sprint 47

    Description

      Nexus versions 2.8.0 through to 2.11.3 are vulnerable to outbound SSL Socket Connections never timing out if the remote server HTTPS socket does not respond.

      Cause

      • Nexus 2.8 introduced a dependency on an HTTP client version ( 4.3.x ) that had a SSL socket timeout bug: HTTPCLIENT-1478
      • the fix for the HTTPCLIENT bug also requires a code change in the SSLConnectionFactory that Nexus uses, so upgrading to httpclient-4.3.6 is not enough to fix the issue.

      Symptoms

      • the Nexus outbound HTTP connection pool for the host in question can become depleted
      • inbound requests to a proxy repository mapped to a https://remotehost can become blocked waiting for other socket bound threads to complete. This includes requests to group repositories that have the proxy repository as a member.
      • multiple thread dumps take over serveral minutes will show the same thread ids stuck on socket reads ( at java.net.SocketInputStream.socketRead0(Native Method) )
        Example Waiting Thread
        qtp812882942-195540 id=195540 state=RUNNABLE (running in native)
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
at sun.security.ssl.InputRecord.read(InputRecord.java:480)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
\- locked java.lang.Object@63017956
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at org.sonatype.nexus.apachehttpclient.NexusSSLConnectionSocketFactory.connectSocket(NexusSSLConnectionSocketFactory.java:127)
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)

      Temporary Workaround

      If available, change the remote URL of the proxy repository to an http connection instead of an https connection.

      Restart nexus to clear any stuck sockets.

      Attachments

        Activity

          People

            Unassigned Unassigned
            plynch Peter Lynch
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              tigCommentSecurity.panel-title