[tomcat] branch 10.0.x updated: 65991: Avoid NPE when checking for client cert

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
     new 88b4da4a1d 65991: Avoid NPE when checking for client cert
88b4da4a1d is described below

commit 88b4da4a1deef7be565d0276240636eede193202
Author: remm <r...@apache.org>
AuthorDate: Tue Apr 5 20:45:59 2022 +0200

    65991: Avoid NPE when checking for client cert
    
    SSLAuthenticator would throw a NPE when boundOnInit was used on one of
    the connectors since enabledProtocols is null until the connector is
    started. Fall back on protocols when that happens (it is what is
    configured, rather than what is actually used, so it's not as good).
---
 java/org/apache/catalina/authenticator/SSLAuthenticator.java | 4 ++++
 webapps/docs/changelog.xml                                   | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 30344b9bdd..45d166ceb3 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -198,6 +198,10 @@ public class SSLAuthenticator extends AuthenticatorBase {
             for (SSLHostConfig sslHostConfig : sslHostConfigs) {
                 if (!sslHostConfig.isTls13RenegotiationAvailable()) {
                     String[] enabledProtocols = 
sslHostConfig.getEnabledProtocols();
+                    if (enabledProtocols == null) {
+                        // Possibly boundOnInit is used, so use the less 
accurate protocols
+                        enabledProtocols = 
sslHostConfig.getProtocols().toArray(new String[0]);
+                    }
                     for (String enbabledProtocol : enabledProtocols) {
                         if 
(Constants.SSL_PROTO_TLSv1_3.equals(enbabledProtocol)) {
                             
log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(), 
host.getName(), connector));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c4cd547c71..db4bc415d3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 10.0.21 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>65991</bug>: Avoid NPE with <code>SSLAuthenticator</code> when
+        <code>boundOnInit</code> is used on a connector, during the check
+        for client certificate authentication availability. (remm)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 10.0.20 (markt)" rtext="2022-04-01">
   <subsection name="Catalina">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org