Bug 996558 - Https connection hangs after adding https connector
Summary: Https connection hangs after adding https connector
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.1.1,6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: CR2
: EAP 6.2.0
Assignee: Jean-frederic Clere
QA Contact: Radim Hatlapatka
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-13 12:43 UTC by Petr Sakař
Modified: 2017-08-07 13:36 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-12-15 16:17:27 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
server certificate (1.31 KB, application/octet-stream)
2013-08-13 12:43 UTC, Petr Sakař
no flags Details
war with index.html (1.11 KB, application/zip)
2013-08-13 12:44 UTC, Petr Sakař
no flags Details

Description Petr Sakař 2013-08-13 12:43:57 UTC
Created attachment 786135 [details]
server certificate

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Start AS standalone server
1. Download attached war and keystore to /tmp/
2. Execute CLI command /core-service=management/security-realm=jbossws-cli-tests-https-realm/:add
Result {"outcome" => "success"}
3. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/:add(protocol="HTTP/1.1",scheme="https",secure=true, socket-binding=https,enabled=true)
Result {"outcome" => "success"}
4. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/ssl=configuration:add(password="changeit",certificate-key-file="/tmp/server.keystore",verify-client=false, key-alias=tomcat, protocol=https)
Result {"outcome" => "success"}
5. Execute CLI command deploy /tmp/test.war
Result {"outcome" => "success","result" => {"step-1" => {"outcome" => "success"},"step-2" => {"outcome" => "success"}}}
6. open in browser https://localhost:8443/test/index.html

Actual results:
page is not loaded, connection hangs


Expected results:
either page is correctly loaded 
 or 
operation result is reload required and page should not be available


Additional info:
after reload page is available

Comment 1 Petr Sakař 2013-08-13 12:44:58 UTC
Created attachment 786136 [details]
war with index.html

Comment 2 Aleksandar Kostadinov 2013-09-21 17:17:00 UTC
I'm also experiencing the same behavior when trying to add a native ssl connector. If I add the connector with two separate cli commands, then attempting to open a https URL results in connection hand and eventually timing out in the browser. Server restart fixes the issue.
On the other hand, using the same two commands to within a batch, makes everything work correctly.

The problem is that there is no error message in cli console or server log to indicate any problem. So user wouldn't know what's wrong.

FYI here is how I do that:
1. change native="true" in server config
2. start server
3. generate self-signed certificate with openssl
> openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -keyout certs/localhost.key -out certs/localhost.cert
4. use the following cli commands:
> /subsystem=web/connector=https:add(enabled="true", enable-lookups="false", secure="true", scheme="https", socket-binding="https", protocol="HTTP/1.1")
> {"outcome" => "success"}
> /subsystem=web/connector=https/configuration=ssl:add(name="native-https", certificate-file="/tmp/certs/localhost.cert", certificate-key-file="/tmp/certs/localhost.key")
> {"outcome" => "success"}
5. try to open https URL

As I already said, if I wrap the cli commands within batch/run-batch, then everything works correctly.

Comment 3 Jean-frederic Clere 2013-10-23 13:41:17 UTC
I think that is unknown bug and no possible to fix it.
The connector starts without ssl and adding ssl doesn't tell to restart the server.

Comment 4 Jean-frederic Clere 2013-10-23 13:42:11 UTC
if you use http:// instead https:// you should get a working connection.

Comment 5 Tomaz Cerar 2013-10-24 21:51:56 UTC
This could be quite easily fixed, by restart-parent service handler on ssl:add() operation.

A workaround would be to add whole ssl connector configuration as part of batch.

Comment 8 John Doyle 2013-10-28 19:26:19 UTC
Jean-Fredederic,

Do you have a comment on Tomaz's suggestion?  Can we try this for 6.2?

Comment 9 Jean-frederic Clere 2013-10-30 13:06:09 UTC
Tomaz gave me an example I have a patch I need to test...

Comment 10 Jean-frederic Clere 2013-10-30 13:59:50 UTC
Actually when adding ssl there is already a  message:
++++
[standalone@localhost:9999 /] /subsystem=web/connector=https/:add(socket-binding=https,protocol="HTTP/1.1",scheme="https")
{"outcome" => "success"}
[standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration:add
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
+++

Comment 11 Jean-frederic Clere 2013-11-01 14:39:37 UTC
A quick try with "restart-parent service handler on ssl:add() " doesn't seem to work. I think we should move this one to 6.3.

Comment 12 Jean-frederic Clere 2013-11-04 16:37:56 UTC
Tomaz helped me today on the topic. It is working I will do the pull request soon.

Comment 13 Jean-frederic Clere 2013-11-04 20:56:03 UTC
See https://github.com/jbossas/jboss-eap/pull/662

Comment 16 mark yarborough 2013-11-07 19:08:08 UTC
Tried to re-approve for 6.2 based on comments 14, 15 from Brian and John.

Comment 20 Petr Sakař 2013-11-18 07:41:44 UTC
Verified for EAP 6.2.0.CR2 preview using procedure described in comment#0

Result of command from step 4 is "Reload-required", page is not available before reload and is available after reload

Comment 21 Aleksandar Kostadinov 2013-11-18 08:06:40 UTC
Was not the fix to make the restart automatic on ssl add?

Comment 22 Jean-frederic Clere 2013-11-18 09:06:08 UTC
it does you need {allow-resource-service-restart=true }

Comment 23 Jean-frederic Clere 2013-11-22 11:07:10 UTC
cause:
When adding a connector it is started immediately.
So when a SSL connector in 2 steps (first the connector, then ssl to the connector) the connector was running without ssl.
Note that a message is displayed asking for restart.

the rest is in the BZ...

Comment 24 Aleksandar Kostadinov 2013-11-28 05:42:08 UTC
Russel, as far as I see now the change is that reload required is returned as status instead of success. It's not like connector is restarted by default.

Comment 25 Jean-frederic Clere 2013-11-28 08:59:40 UTC
The reload required was already returned but the connector wasn't restarted.


Note You need to log in before you can comment on or make changes to this bug.