[tomcat] branch 9.0.x updated: 65991: Avoid NPE when checking for client cert

Tue, 05 Apr 2022 11:52:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

The following commit(s) were added to refs/heads/9.0.x by this push:
     new 1bb00911c6 65991: Avoid NPE when checking for client cert
1bb00911c6 is described below

commit 1bb00911c61aca80743852f82e72bfa9bc5b6ccf
Author: remm <r...@apache.org>
AuthorDate: Tue Apr 5 20:45:59 2022 +0200

    65991: Avoid NPE when checking for client cert
    
    SSLAuthenticator would throw a NPE when boundOnInit was used on one of
    the connectors since enabledProtocols is null until the connector is
    started. Fall back on protocols when that happens (it is what is
    configured, rather than what is actually used, so it's not as good).
---
 java/org/apache/catalina/authenticator/SSLAuthenticator.java | 4 ++++
 webapps/docs/changelog.xml                                   | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index a406061314..0f6955bee1 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -198,6 +198,10 @@ public class SSLAuthenticator extends AuthenticatorBase {
             for (SSLHostConfig sslHostConfig : sslHostConfigs) {
                 if (!sslHostConfig.isTls13RenegotiationAvailable()) {
                     String[] enabledProtocols = 
sslHostConfig.getEnabledProtocols();
+                    if (enabledProtocols == null) {
+                        // Possibly boundOnInit is used, so use the less 
accurate protocols
+                        enabledProtocols = 
sslHostConfig.getProtocols().toArray(new String[0]);
+                    }
                     for (String enbabledProtocol : enabledProtocols) {
                         if 
(Constants.SSL_PROTO_TLSv1_3.equals(enbabledProtocol)) {
                             
log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(), 
host.getName(), connector));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3e6db14ac6..92d3ce20e2 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.63 (remm)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>65991</bug>: Avoid NPE with <code>SSLAuthenticator</code> when
+        <code>boundOnInit</code> is used on a connector, during the check
+        for client certificate authentication availability. (remm)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 9.0.62 (remm)" rtext="2022-04-01">
   <subsection name="Catalina">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to