Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8856

outbound ssl sockets do not timeout if the remote does not respond

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.8, 2.8.1, 2.9, 2.9.1, 2.9.2, 2.10, 2.11, 2.11.1, 2.11.2, 2.11.3
    • Fix Version/s: 2.11.4
    • Component/s: Transport
    • Labels:
      None
    • Story Points:
      0.5
    • Sprint:
      Sprint 47

      Description

      Nexus versions 2.8.0 through to 2.11.3 are vulnerable to outbound SSL Socket Connections never timing out if the remote server HTTPS socket does not respond.

      Cause

      • Nexus 2.8 introduced a dependency on an HTTP client version ( 4.3.x ) that had a SSL socket timeout bug: HTTPCLIENT-1478
      • the fix for the HTTPCLIENT bug also requires a code change in the SSLConnectionFactory that Nexus uses, so upgrading to httpclient-4.3.6 is not enough to fix the issue.

      Symptoms

      • the Nexus outbound HTTP connection pool for the host in question can become depleted
      • inbound requests to a proxy repository mapped to a https://remotehost can become blocked waiting for other socket bound threads to complete. This includes requests to group repositories that have the proxy repository as a member.
      • multiple thread dumps take over serveral minutes will show the same thread ids stuck on socket reads ( at java.net.SocketInputStream.socketRead0(Native Method) )
        Example Waiting Thread
        qtp812882942-195540 id=195540 state=RUNNABLE (running in native)
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.read(SocketInputStream.java:152)
        at java.net.SocketInputStream.read(SocketInputStream.java:122)
        at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
        at sun.security.ssl.InputRecord.read(InputRecord.java:480)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
        \- locked java.lang.Object@63017956
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
        at org.sonatype.nexus.apachehttpclient.NexusSSLConnectionSocketFactory.connectSocket(NexusSSLConnectionSocketFactory.java:127)
        at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
        

      Temporary Workaround

      If available, change the remote URL of the proxy repository to an http connection instead of an https connection.

      Restart nexus to clear any stuck sockets.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title