This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 02fcf97f1b2a1db04b7dd674daf6ab3a5f77312e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 19 18:19:25 2019 +0100
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63500
Correct reference to the X509_STORE being configured
Remove calls to X509_STORE_free since a separate store is not allocated
for CRLs. It simply re-uses the existing store for the server
SSLContext. Trying to close it triggers a JVM crash.
---
native/src/sslcontext.c | 8 +-------
xdocs/miscellaneous/changelog.xml | 4 ++++
2 files changed, 5 insertions(+), 7 deletions(-)
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 4e4944f..1e82fa2 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -34,8 +34,6 @@ static apr_status_t ssl_context_cleanup(void *data)
tcn_ssl_ctxt_t *c = (tcn_ssl_ctxt_t *)data;
if (c) {
int i;
- if (c->crl)
- X509_STORE_free(c->crl);
c->crl = NULL;
if (c->ctx)
SSL_CTX_free(c->ctx);
@@ -607,14 +605,12 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
if (lookup == NULL) {
ERR_error_string(SSL_ERR_get(), err);
- X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err);
goto cleanup;
}
if (!X509_LOOKUP_load_file(lookup, J2S(file), X509_FILETYPE_PEM)) {
ERR_error_string(SSL_ERR_get(), err);
- X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Load failed for file %s (%s)", J2S(file), err);
goto cleanup;
@@ -624,20 +620,18 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
ERR_error_string(SSL_ERR_get(), err);
- X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for path %s (%s)", J2S(file), err);
goto cleanup;
}
if (!X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM)) {
ERR_error_string(SSL_ERR_get(), err);
- X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Load failed for path %s (%s)", J2S(file), err);
goto cleanup;
}
}
- X509_STORE_set_flags(c->store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
+ X509_STORE_set_flags(c->crl, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
rv = JNI_TRUE;
cleanup:
TCN_FREE_CSTRING(file);
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 6af4a2e..bd2ea01 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -45,6 +45,10 @@
contains an AIA extension without an OCSP URI. Patch provided by Milind
Takawale. (markt)
</fix>
+ <fix>
+ <bug>63500</bug>: Fix JVM crash on Connector start when a certificate
+ revocation file or path is specified for OpenSSL. (markt)
+ </fix>
</changelog>
</section>
<section name="Changes in 1.2.21">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
