[Bug 62054] New: exception on OpenSSLEngine lead to websocket session closure

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62054

            Bug ID: 62054
           Summary: exception on OpenSSLEngine lead to websocket session
                    closure
           Product: Tomcat 9
           Version: unspecified
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: leandrogaspar...@gmail.com
  Target Milestone: -----

Created attachment 35703
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35703&action=edit
Source for reproducing the issue

On windows, SSL_shutdown is called when connection is in init state and the
WebSocket session is closed as consequence. The browser receives CloseEvent
with reason "error:140E0197:SSL routines:SSL_shutdown:shutdown while in init".

The problem doesn't seen to happen in Google Chrome but when using Microsoft
Edge, Internet Explorer or Firefox the issue is easily reproducible.

This user in stackoverflow was reporting the same issue and using the tomcat in
linux solved the problem too.

https://stackoverflow.com/questions/47729007/secured-websocket-connections-wss-abort-in-tomcat-spring-while-https-is-wo

---------------------------------------------------------------------------
Exception stack trace:
onError... sessionId=3
javax.net.ssl.SSLException: error:140E0197:SSL routines:SSL_shutdown:shutdown
wh
ile in init
        at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.checkLastError(OpenS
SLEngine.java:905)
        at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.pendingReadableBytes
InSSL(OpenSSLEngine.java:616)
        at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.unwrap(OpenSSLEngine
.java:544)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
        at
org.apache.tomcat.util.net.SecureNioChannel.read(SecureNioChannel.jav
a:563)
        at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.fillReadBuffe
r(NioEndpoint.java:1242)
        at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.fillReadBuffe
r(NioEndpoint.java:1215)
        at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.read(NioEndpo
int.java:1188)
        at
org.apache.tomcat.websocket.server.WsFrameServer.onDataAvailable(WsFr
ameServer.java:72)
        at
org.apache.tomcat.websocket.server.WsFrameServer.doOnDataAvailable(Ws
FrameServer.java:171)
        at
org.apache.tomcat.websocket.server.WsFrameServer.notifyDataAvailable(
WsFrameServer.java:151)
        at
org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.upgradeDispat
ch(WsHttpUpgradeHandler.java:148)
        at
org.apache.coyote.http11.upgrade.UpgradeProcessorInternal.dispatch(Up
gradeProcessorInternal.java:54)
        at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLig
ht.java:53)
        at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abstract
Protocol.java:868)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpo
int.java:1457)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBas
e.java:49)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:624)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
        at java.lang.Thread.run(Thread.java:748)
Close Connection... sessionId=3
Session Closed. sessionId=3

---------------------------------------------------------------------------
Possible fix:
As a simple test, I did a build changing the OpenSSLEngine#shutdown method to
check if the SSL is init state before releasing it:

    public synchronized void shutdown() {
        if (!destroyed && SSL.isInInit(ssl) != 0) {
            destroyed = true;
            SSL.freeBIO(networkBIO);
            SSL.freeSSL(ssl);
            ssl = networkBIO = 0;

            // internal errors can cause shutdown without marking the engine
closed
            isInboundDone = isOutboundDone = engineClosed = true;
        }
    }

That solved the issue, however I would like some feedback for the effects of
this change.

---------------------------------------------------------------------------
Product: Tomcat 8.5.x and Tomcat 9.0.x
Version: apache-tomcat-8.5.23 or apache-tomcat-9.0.4
Component: Util
OS: Windows 10 Pro and Windows 2012 R2 Datacenter 

Configuration details:
Java version – Java(TM) SE Runtime Environment (build 1.8.0_144-b01) and
Java(TM) SE Runtime Environment (build 1.8.0_161-b12).
Tomcat Connector Configuration: 
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="${catalina.base}\conf\keystore.jks"/>

---------------------------------------------------------------------------
Reproducing the issue:
I'm attaching the source for a really simple app that reproduces the issue.

The web page starts a WebSocket and waits for messages and echo it back to the
server.
On the server side, once a new connection arrives a thread is started and every
100ms if the session is open a message is sent to the client.

For testing open the page on the Internet Explorer or Microsoft Edge and wait
for the exception.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org