Akka HTTP TLS server hangs when it receives plaintext connection

I’m using Akka HTTP to run HTTP servers. They are mostly working fine, with exception of one major annoyance: when HTTPS server receives an HTTP connection, it just hangs. According to Wireshark it does not send anything as a response, so the HTTP client is waiting indefinitely (well, not indefinitely, but for a large timeouts) for response data that is never going to be sent.

This is a counter-intuitive behavior, since the last thing that I will try when I encounter such unresponsive server is to switch to HTTPS.

I made sample project which suffers from this problem and put it on Github: https://github.com/makkarpov/akka-tls-hangs-example

So I would be happy for any clues. Is this a misconfiguration of server, or Akka bug, or I was unluckily enough to hit a buggy version, or something else? If this is a misconfiguration - what is correct configuration then?


I’ve just checked this on my own server and can’t reproduce the issue (I’m using Akka http 10.1.9 now).
Skimmed through your code, found this SecureRandom.getInstanceStrong. Not saying this is your issue and it is probably not, but I’d rather avoid this (https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/).

1 Like

The issue doesn’t reproduce on my machine.

I agree, getInstanceStrong is a bad idea and it may well be that not just HTTP connections hang but any kind of connections once the source of entropy has run dry.

Can you get a stack trace when the hanging occurs? E.g. using jstack <pid>.

Thank you for noticing blocking nature of used SecureRandom.getInstanceStrong, I didn’t knew about it. Suprising fact is that I can’t reproduce this issue either on JDK 8, but this issue is perfectly reproductibe (I tried on another computer) on JDK 11 (with unmodified repository version of code on both JDKs). On JDK 8 Akka just closes the connection without any response, which is not perfect, but good. On JDK 11 connection is kept open indefinitely without any activity.

Result of Ctrl+Break on JDK 11 with waiting plaintext connection: https://paste.ubuntu.com/p/QKctTGDWBt/

It seems that akka does not “hang” in terms of entering deadlock or infinite loop or something like that, but just ignores incoming connection. I guess that this is related to different SSLContext/SSLEngine implementations in these JDKs. Changing SecureRandom to .getInstance("SHA1PRNG") instead of .getInstanceStrong does not affect this behavior.

Thanks @makkarpov. I could reproduce the behavior using your code on JDK11. I created https://github.com/akka/akka-http/issues/2614 to track this further.

1 Like