https://bz.apache.org/bugzilla/show_bug.cgi?id=63500
Bug ID: 63500
Summary: Core dump using APR tomcat native with
certificateRevocationListFile
Product: Tomcat 9
Version: 9.0.21
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
I'm using tomcat 9.0.21 and tomcat-native 1.2.21 on top of CentOS 7.6.1810.
Current issue is this one from catalina.out:
-----
13-Jun-2019 10:43:32.132 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based
Apache Tomcat Native library [1.2.21] using APR version [1.4.8].
13-Jun-2019 10:43:32.135 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Jun-2019 10:43:32.135 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
13-Jun-2019 10:43:32.141 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2k-fips 26 Jan 2017]
13-Jun-2019 10:43:32.518 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-apr-2007"]
13-Jun-2019 10:43:32.545 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-apr-2008"]
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f989117c860, pid=23986, tid=0x00007f9910185700
#
# JRE version: OpenJDK Runtime Environment (8.0_191-b12) (build 1.8.0_191-b12)
# Java VM: OpenJDK 64-Bit Server VM (25.191-b12 mixed mode linux-amd64
compressed oops)
# Problematic frame:
# C [libcrypto.so.10+0x168860] X509_STORE_set_flags+0x0
#
# Failed to write core dump. Core dumps have been disabled. To enable core
dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /opt/temp/java_error23986.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
#
-----
The crash log shows
-----
Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j
org.apache.tomcat.jni.SSLContext.setCARevocation(JLjava/lang/String;Ljava/lang/String;)Z+0
j
org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(Lorg/apache/tomcat/util/net/SSLHostConfigCertificate;)V+77
j
org.apache.tomcat.util.net.openssl.OpenSSLContext.init([Ljavax/net/ssl/KeyManager;[Ljavax/net/ssl/TrustManager;Ljava/security/SecureRandom;)V+191
j
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(Ljava/util/List;)Lorg/apache/tomcat/util/net/SSLContext;+16
j
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(Lorg/apache/tomcat/util/net/SSLHostConfig;)V+81
-----
Which is the code
https://github.com/apache/tomcat-native/blob/7a20a500587dc92944dee05cee5b388ae8443842/native/src/sslcontext.c#L640
Connector configuration:
-----
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" SSLRandomSeed="builtin" />
<Connector
allowTrace="false"
URIEncoding="UTF-8"
acceptorThreadCount="2"
acceptCount="400"
connectionTimeout="20000"
maxKeepAliveRequests="100"
keepAliveTimeout="5000"
maxThreads="400"
minSpareThreads="25"
tcpNoDelay="true"
processorCache="750"
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="2008"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig
certificateVerification="optional"
caCertificateFile="/certs/server/x509_trusted.crt"
certificateRevocationListFile="/certs/server/x509_trusted.crl"
protocols="all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3"
ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
honorCipherOrder="true"
disableCompression="true">
<Certificate
certificateFile="/certs/server/server.crt"
certificateChainFile="/certs/server/server_ca_chain.crt"
certificateKeyFile="/certs/server/server.key"
certificateKeyPassword="abc" />
</SSLHostConfig>
</Connector>
-----
When I remove the line setting the revogation list,
"certificateRevocationListFile=\"/certs/server/x509_trusted.crl\"", it just
works. Same PEM file works in old tomcat-7.0.69 using also APR and tomcat
native.
Tried versions back until 9.0.17 with same issue. With 9.0.16 and 9.014 I have
different issue.
On tomcat 9.0.14 same setup worked but on shutdown I had a core dump. With
tomcat 9.0.16 same setup worked but on shutdown I had an even weird core dump.
Starting tomcat 9.0.17 it stopped starting. I noticed that tomcat native
changed from 1.2.19 to 1.2.21 when that happen.
Tested also building a tomcat-native with latest openssl and latest apr as
static linked in with same issue. So I assume it's not some weird library issue
but something else.
Happy to provide more data or even do other tests.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
