search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.35k stars 2.56k forks source link

Non-deterministic exception when using Resteasy and SSL and calling an endpoint multiple times #26878

Open DGuhr opened 1 year ago

DGuhr commented 1 year ago

Describe the bug

Hey quarkus team :)

I discovered this bug using Keycloak, see this gist. Basically it is:

  1. Create some certificates (e.g. selfsigned or using mkcert)
  2. set them in quarkus.properties
  3. Build,run & open https://localhost:8443/ in your browser
  4. simulate high request traffic without browser caching - on my mac it's e.g. holding cmd+shift+r, See https://en.wikipedia.org/wiki/Wikipedia:Bypass_your_cache#Desktop_browsers for other browsers and OS
  5. See exception appear after a very short while. At keycloak level, you can reproduce with the same steps using the gist above.

Plain Reproducer can be found at https://github.com/dguhr/reproducer/tree/ssl_exception

Expected behavior

No exception appears.

Actual behavior

Exception:

Screenshot 2022-07-22 at 08 57 48

How to Reproduce?

Reproducer: https://github.com/dguhr/reproducer/tree/ssl_exception

Steps see readme and Description here.

Output of uname -a or ver

Darwin dguhr-mac 20.6.0 Darwin Kernel Version 20.6.0: Tue Apr 19 21:04:45 PDT 2022; root:xnu-7195.141.29~1/RELEASE_X86_64 x86_64

Output of java -version

openjdk version "11.0.15" 2022-04-19 OpenJDK Runtime Environment Temurin-11.0.15+10 (build 11.0.15+10) OpenJDK 64-Bit Server VM Temurin-11.0.15+10 (build 11.0.15+10, mixed mode)

GraalVM version (if different from Java)

-

Quarkus version or git rev

2.7.6.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)

Additional information

No response

quarkus-bot[bot] commented 1 year ago

/cc @sberyozkin

DGuhr commented 1 year ago

@geoand @sberyozkin any new information on this one? sorry to push, but would be great to have something for the next 2.7.x LTS version that should come out somewhere end of month / start next month if I remember correctly (pls correct me if wrong)

geoand commented 1 year ago

I personally don't have much of an idea about this and I think @sberyozkin is on PTO.

DGuhr commented 1 year ago

Thanks for the info, and np :)

DGuhr commented 1 year ago

@sberyozkin did you perhaps have time to look into this bug?

michalvavrik commented 1 year ago

I couldn't reproduce this via UI, but CLI like xargs -I % -P 500 curl "https://localhost:8443/" < <(printf '%s\n' {1..500}) reproduces the issue. Interesting is that it only reproduces issue second time it's run. I'll have a look and let you know.

michalvavrik commented 1 year ago

I didn't manage to create standalone Vert.X reproducer. Quarkus just loads bytes and set Buffer to io.vertx.core.net.PemKeyCertOptions#setCertValues, the options are passed to Vert.X exactly once and then it's absolutely out of our reach. It's interesting when running in native, problem occurs almost immediately, but in dev mode, I have to execute curl (see prev. comment) twice. Could someone from Vert.X please have a look?

sberyozkin commented 9 months ago

@DGuhr Sorry, this is managed at the Vert.x level