[jetty-dev] TLS Support

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] TLS Support

Thomas Lußnig-2
Hi,

is there an more detailed information about the problem:

    Java 11 has a problematic TLS implementation. Currently, the Jetty
    team recommends using JDK 12 until such time that the fixes in JDK 12 are
    backported to Java 11 TLS.

Gruß Thomas

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] TLS Support

Simone Bordet-3
Hi,

On Wed, Feb 20, 2019 at 11:59 PM Thomas Lußnig <[hidden email]> wrote:
>
> Hi,
>
> is there an more detailed information about the problem:
>
>     Java 11 has a problematic TLS implementation. Currently, the Jetty
>     team recommends using JDK 12 until such time that the fixes in JDK 12 are
>     backported to Java 11 TLS.

We only see this problem when running load tests, see for example:
https://github.com/eclipse/jetty.project/issues/3368
https://github.com/eclipse/jetty.project/issues/3301
https://github.com/eclipse/jetty.project/issues/3239

It does not happen all the times, so it's a random bug to find and figure out.

We have not investigated deeply what it is, but we have other
confirmation as well: running the CometD benchmarks fails with 11.0.2,
but passes cleanly with 12RC.
We will investigate and eventually send out the details, but it may
take some time.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] TLS Support

Cantor, Scott
On 2/20/19, 6:53 PM, "[hidden email] on behalf of Simone Bordet" <[hidden email] on behalf of [hidden email]> wrote:

> We have not investigated deeply what it is, but we have other
> confirmation as well: running the CometD benchmarks fails with 11.0.2,
> but passes cleanly with 12RC.

Has somebody filed a bug with Oracle or Red Hat yet?

The problem is that for a lot of us, the non-LTS releases may as well not exist, so "use 12" is not practical advice, even if 12 were out, which it isn't.

So this is really "use 8" as a piece of advice right now.

-- Scott


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] TLS Support

Simone Bordet-3
Hi,

On Thu, Feb 21, 2019 at 1:03 AM Cantor, Scott <[hidden email]> wrote:
>
> On 2/20/19, 6:53 PM, "[hidden email] on behalf of Simone Bordet" <[hidden email] on behalf of [hidden email]> wrote:
>
> > We have not investigated deeply what it is, but we have other
> > confirmation as well: running the CometD benchmarks fails with 11.0.2,
> > but passes cleanly with 12RC.
>
> Has somebody filed a bug with Oracle or Red Hat yet?

We will, but we need to have exact details first.

> The problem is that for a lot of us, the non-LTS releases may as well not exist, so "use 12" is not practical advice, even if 12 were out, which it isn't.
>
> So this is really "use 8" as a piece of advice right now.

Yep.
However, we have people surprised by this - for them evidently 11 is
working fine.
It could well just be a problem when using TLS 1.3, so using TLS 1.2
on JDK 11 is fine.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] TLS Support

Cantor, Scott
On 2/20/19, 7:11 PM, "[hidden email] on behalf of Simone Bordet" <[hidden email] on behalf of [hidden email]> wrote:

> We will, but we need to have exact details first.

Ok. I know that's one take, another is "A/B tests prove this is your bug, we'll get more details to you when we can...". Often a stack trace is enough to find a bug. And this is a big deal, a "your only LTS Java is about to be untrustworthy" kind of deal, so the sooner they know...

If it's really just TLS 1.3 that certainly will help but from the bugs there it's probably not really certain yet.

Thanks,
-- Scott


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev