[Bug 65131] New: OpenSSLEngine errors on a connection affect other connections

Mon, 08 Feb 2021 09:29:22 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65131

            Bug ID: 65131
           Summary: OpenSSLEngine errors on a connection affect other
                    connections
           Product: Tomcat 9
           Version: 9.0.34
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: frraj...@cisco.com
  Target Milestone: -----

This issue was previously reported in
https://bz.apache.org/bugzilla/show_bug.cgi?id=62054 but was discarded because
it was not reproducible. However, I have been able to reproduce it.

The setup is:
tomcat 9.0.34
HTTPNIO connector, with OpenSSLEngine implementation
openssl 1.0.2u

To reproduce, configure a secure connector with a self-signed certificate.

Then, in a loop, access the secure connector using curl, but ignore the
self-signed certificate errors (-k), like this:
for i in {1..1000} ; do curl -q -k https://hostname >/dev/null 2>&1; echo $?;
done

The exit code should always be zero if the connection is successful.

While the test is running, access the same interface, but let curl fail the
connection by letting it verify the certificate:
curl https://hostname
curl: (60) Peer's certificate issuer has been marked as not trusted by the
user.

The test will start reporting connection errors (exit code 52). Run both in a
tight loop to get many errors.

The following stack trace is visible in tomcat logs:

FINE: OpenSSL error: [336462231] message: [error:140E0197:SSL
routines:SSL_shutdown:shutdown while in init]
Feb 08, 2021 11:41:19 AM org.apache.coyote.http11.Http11Processor service
FINE: Error parsing HTTP request header
javax.net.ssl.SSLException: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init
        at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.checkLastError(OpenSSLEngine.java:946)
        at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.pendingReadableBytesInSSL(OpenSSLEngine.java:631)
        at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:558)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:629)
        at
org.apache.tomcat.util.net.SecureNioChannel.read(SecureNioChannel.java:617)
        at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.fillReadBuffer(NioEndpoint.java:1229)
        at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.read(NioEndpoint.java:1141)
        at
org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:761)
        at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:356)
        at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
        at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
com.broadsoft.xsp.platform.InstrumentedExecutor$Tracker.run(InstrumentedExecutor.java:413)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)


My feeling is that this is related to the same problem that led to this fix:
https://github.com/apache/tomcat/commit/ebab25a3576a315ca676db7ce2366e53f9dcf311
It looks like, in this case, there are multiple errors waiting in the openssl
error queue, and just reading one error is not sufficient to clear the queue.
Therefore, SSL errors on a connection are permitted to propagate to other
connections as long as they are processed on the same thread.


As an aside, I also noticed the following NPE stacktrace in the logs, but I'm
not sure if it's related. It may be a different scenario that caused it. I
think it's related to SecureNioChannel.processSNI returning/throwing before
creating the SSLEngine.

Feb 08, 2021 11:48:00 AM
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper doClose
SEVERE: Failed to close channel
java.lang.NullPointerException
        at
org.apache.tomcat.util.net.SecureNioChannel.close(SecureNioChannel.java:534)
        at
org.apache.tomcat.util.net.SecureNioChannel.close(SecureNioChannel.java:560)
        at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.doClose(NioEndpoint.java:1172)
        at
org.apache.tomcat.util.net.SocketWrapperBase.close(SocketWrapperBase.java:396)
        at
org.apache.tomcat.util.net.NioEndpoint$Poller.cancelledKey(NioEndpoint.java:684)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
com.broadsoft.xsp.platform.InstrumentedExecutor$Tracker.run(InstrumentedExecutor.java:413)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to