Errors on save ckeditor

Every now and then I get “Failed to save page: server not responding.”
I can sort of replicate it when trying to save a large page. It basically logs

java.lang.IllegalArgumentException: Request header is too large
<snip>
[https://wiki.xxxxxxx.com/xwiki/wiki/security/preview/<pagename> WARN  o.x.c.i.DefaultCSRFToken       - CSRFToken
: Secret token verification failed, token: "null", stored token: "xxxxxxxxxxxxxxxxxx"

If I tcpdump the traffic the CSRF token is present in the form post.

Detailed logging gives this

[2020-05-13 03:56:40] [info] 2020-05-13 03:56:40,105 [https://wiki.xxxxx.com/xwiki/bin/view/Ops/tp/?resubmit=%2Fxwiki%2Fbin%2Fpreview%2FOps%2Ftp%2FWebHome%3Fsrid%3D1DByeyhn&xback=%2Fxwiki%2Fbin%2Fview%2FOps%2Ftp%2F&xpage=resubmit] DEBUG o.a.s.a.RequestProcessor       -  Looking for Action instance for class com.xpn.xwiki.web.ViewAction
[2020-05-13 03:56:40] [info] 2020-05-13 03:56:40,105 [https://wiki.xxxxx.com/xwiki/bin/view/Ops/tp/?resubmit=%2Fxwiki%2Fbin%2Fpreview%2FOps%2Ftp%2FWebHome%3Fsrid%3D1DByeyhn&xback=%2Fxwiki%2Fbin%2Fview%2FOps%2Ftp%2F&xpage=resubmit] TRACE o.a.s.a.RequestProcessor       -   Returning existing Action instance
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] DEBUG o.a.s.a.RequestProcessor       - Processing a 'POST' for path '/preview/'
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] DEBUG o.a.s.u.RequestUtils           -  Looking for ActionForm bean instance in scope 'request' under attribute key 'preview'
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] DEBUG o.a.s.u.RequestUtils           -  Creating new ActionForm instance of type 'com.xpn.xwiki.web.EditForm'
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] TRACE o.a.s.u.RequestUtils           -  --> com.xpn.xwiki.web.EditForm@13d99122
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] DEBUG o.a.s.a.RequestProcessor       -  Storing ActionForm bean instance in scope 'request' under attribute key 'preview'
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] DEBUG o.a.s.a.RequestProcessor       -  Validating input form properties
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] TRACE o.a.s.a.RequestProcessor       -   No errors detected, accepting input
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] DEBUG o.a.s.a.RequestProcessor       -  Looking for Action instance for class com.xpn.xwiki.web.PreviewAction
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,344 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] TRACE o.a.s.a.RequestProcessor       -   Returning existing Action instance
[2020-05-13 03:56:53] [info] 2020-05-13 03:56:53,346 [https://wiki.xxxxx.com/xwiki/bin/preview/Ops/tp/WebHome] WARN  o.x.c.i.DefaultCSRFToken       - CSRFToken: Secret token verification failed, token: "null", stored token: "57u3Gsdo4FvCyIFptWWuPA"
[2020-05-13 03:56:53] [info] Error parsing HTTP request header
[2020-05-13 03:56:53] [info]  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.

How can I debug this further?
This is Debian 10.4

tomcat9                               9.0.31-1~deb10u1
tomcat9-common                        9.0.31-1~deb10u1
xwiki-tomcat9-common                  11.10.4
xwiki-tomcat9-pgsql                   11.10.4
xwiki-common                          11.10.4
xwiki-pgsql-common                    11.10.4
xwiki-tomcat9-common                  11.10.4
xwiki-tomcat9-pgsql                   11.10.4
libtomcat9-java                       9.0.31-1~deb10u1
openjdk-11-jre-headless:amd64         11.0.7+10-3~deb10u1

Maybe this is just a consequence of:

or a consequence of:

Note that the second log you pasted doesn’t include this “Request header is too large” so you may have 2 issues. The save request is done using POST so it shouldn’t lead to “Request header is too large” normally. You could also check the header of the save POST request to see if there is something strange there.

I know xwike says token is null. However, the form pist in the browser contains the token. Tomcat receives it as well, checked with tcpdump. The header error comes next when a get is done (after the post fails).

I’ve compared the form and all post headers between a failing one and a good one - there is no difference.

I am wondering how to debug this further. Somewhere in the request processing the csrf token gets lost or mangled…

I solved my own issue. It is somehow related to (I think) JSSE. When I switched the connector in Tomcat to APR and OpenSSL the problem disappeared. Did not debug it further.

And I found the cause. Bug in tomcat 9.0.31:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64195