Re: [jetty-users] OutOfMemory errors

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

Its not just old, its EOL (End of Life)

https://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00069.html

Java 6, and Java 7, are also EOL (by Oracle)

All SSL on Java (through Java 7) is also EOL (again, by Oracle).

You don't even have the current support level of TLS/SSL as built into today's browsers.

There have been literally well over 600 CVE's fixed in Java specifically with regards to TLS/SSL since Java 6.

At this point your environment is vulnerable to a countless number of attack vectors.

That being said, the most common reasons for what you are encountering ...

• minimum cipher suites in use by the general web, are much more aggressive on memory now, you need to allocate more to your process.
• don't run a 32-bit JVM in production, esp with SSL enabled, you'll hit the memory limit of 32-bit processes quicker than you expect.
• many of these sorts of errors are from people exploring your vulnerabilities and tripping up the ancient SSL implementation you are running, you cannot mitigate these sorts of errors in code or configuration, only by updating the JVM itself.

--

Joakim Erdfelt <joakim@xxxxxxxxxxx>

webtide.com - eclipse.org/jetty - cometd.org

Expert advice, services and support from from the Jetty & CometD experts

On Wed, Jul 8, 2015 at 12:48 PM, radiatejava <radiatejava@xxxxxxxxx> wrote:

We are using Jetty 8.1.3 with JRE 1.6 that is in production. I know
these versions are old but right now this is in govt org and it is not
likely to be upgraded this year.

Problem is about once a month JVM is reporting OutOfMemory error and
the application dies. This is urgent for us. Heap dump does not show
anything suspicious. I am putting the stack trace here. Any help is
appreciated.

Here is the reported error:
2015-03-11 13:00:08,081 qtp31782389-6377     WARN  jetty.io.nio
                               - handle failed
java.lang.OutOfMemoryError
    at sun.security.pkcs11.wrapper.PKCS11.C_DecryptUpdate(Native Method)
    at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:549)
    at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:464)
    at javax.crypto.Cipher.update(DashoA13*..)
    at com.sun.net.ssl.internal.ssl.CipherBox.decrypt(Unknown Source)
    at com.sun.net.ssl.internal.ssl.InputRecord.decrypt(Unknown Source)
    at com.sun.net.ssl.internal.ssl.EngineInputRecord.decrypt(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
    at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
    at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:519)
    at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:396)
    at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:188)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:606)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
    at java.lang.Thread.run(Unknown Source)
2015-03-11 13:00:08,084 qtp31782389-6404     WARN  jetty.io.nio
                               - handle failed
java.lang.OutOfMemoryError: (class:
sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator)
    at sun.security.pkcs11.SunPKCS11$P11Service.newInstance0(SunPKCS11.java:934)
    at sun.security.pkcs11.SunPKCS11$P11Service.newInstance(SunPKCS11.java:892)
    at javax.crypto.KeyGenerator.a(DashoA13*..)
    at javax.crypto.KeyGenerator.<init>(DashoA13*..)
    at javax.crypto.KeyGenerator.getInstance(DashoA13*..)
    at com.sun.net.ssl.internal.ssl.JsseJce.getKeyGenerator(Unknown Source)
    at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.generateDummySecret(Unknown
Source)
    at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.polishPreMasterSecretKey(Unknown
Source)
    at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown
Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
    at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:370)
    at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:188)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:606)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
    at java.lang.Thread.run(Unknown Source)


And the top level (objects occupying the largest memory) histogram is like this:

Class Name                                                         |
Shallow Heap | Retained Heap | Percentage
---------------------------------------------------------------------------------------------------------------
org.eclipse.jetty.server.ssl.SslSelectChannelConnector @ 0x81581498|
       192 |    14,677,920 |     51.87%
|- org.eclipse.jetty.http.HttpBuffersImpl @ 0x815a4248             |
        88 |    14,673,288 |     51.85%
  |- org.eclipse.jetty.io.PooledBuffers @ 0x8157af50              |
       56 |    14,607,160 |     51.62%
---------------------------------------------------------------------------------------------------------------
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users