[Bug 66035] SIGSEGV in org.apache.tomcat.jni.SSL::getSessionId - NIO+OpenSSL

bugzilla Wed, 27 Apr 2022 03:47:42 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=66035


--- Comment #1 from Remy Maucherat <r...@apache.org> ---
The handshake failed and the session id is accessed through your access logging
pattern.

Looking at the Panama code there could be an optimistic use of the
SSL_get_session call (it would return NULL if there's no session because
handshake failed).

The native code seems to have the same problem, since it does:
    UNREFERENCED(o);
    session = SSL_get_session(ssl_);
    session_id = SSL_SESSION_get_id(session, &len);

While other places do:
    session  = SSL_get_session(ssl_);
    if (session) {
        return SSL_get_time(session);
    } else {
        tcn_ThrowException(e, "ssl session is null");
        return 0;
    }

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66035] SIGSEGV in org.apache.tomcat.jni.SSL::getSessionId - NIO+OpenSSL

Reply via email to