This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new ba6432cbb3 65991: Avoid NPE when checking for client cert
ba6432cbb3 is described below
commit ba6432cbb312e6595af5fa49e77161f7d8805956
Author: remm <[email protected]>
AuthorDate: Tue Apr 5 20:45:59 2022 +0200
65991: Avoid NPE when checking for client cert
SSLAuthenticator would throw a NPE when boundOnInit was used on one of
the connectors since enabledProtocols is null until the connector is
started. Fall back on protocols when that happens (it is what is
configured, rather than what is actually used, so it's not as good).
---
java/org/apache/catalina/authenticator/SSLAuthenticator.java | 4 ++++
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 13 insertions(+)
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 30344b9bdd..45d166ceb3 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -198,6 +198,10 @@ public class SSLAuthenticator extends AuthenticatorBase {
for (SSLHostConfig sslHostConfig : sslHostConfigs) {
if (!sslHostConfig.isTls13RenegotiationAvailable()) {
String[] enabledProtocols =
sslHostConfig.getEnabledProtocols();
+ if (enabledProtocols == null) {
+ // Possibly boundOnInit is used, so use the less
accurate protocols
+ enabledProtocols =
sslHostConfig.getProtocols().toArray(new String[0]);
+ }
for (String enbabledProtocol : enabledProtocols) {
if
(Constants.SSL_PROTO_TLSv1_3.equals(enbabledProtocol)) {
log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(),
host.getName(), connector));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 49fb49f95f..0540db1f1c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 10.1.0-M15 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>65991</bug>: Avoid NPE with <code>SSLAuthenticator</code> when
+ <code>boundOnInit</code> is used on a connector, during the check
+ for client certificate authentication availability. (remm)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 10.1.0-M14 (markt)" rtext="2022-04-01">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
