https://bz.apache.org/bugzilla/show_bug.cgi?id=69801
Bug ID: 69801
Summary: SIGSEGV during shutdown when using tomcat-native and
certificate client auth
Product: Tomcat 10
Version: 10.1.44
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ------
tomcat native 2.0.9, apr 1.6.3, openssl 3.1.4, tomcat more versions in 10.1.4x
setClientAuth in JNI version of OpenSSLEngine should be somehow guarded against
calling during tomcat shutdown
private void setClientAuth(ClientAuthMode mode) {
if (clientMode) {
return;
}
synchronized (this) {
if (clientAuth == mode) {
// No need to issue any JNI calls if the mode is the same
return;
}
if (destroyed) {
return new SSLEngineResult(SSLEngineResult.Status.CLOSED,
SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING,
0, 0);
}
switch (mode) {
case NONE:
SSL.setVerify(state.ssl, SSL.SSL_CVERIFY_NONE,
certificateVerificationDepth);
break;
Because in other case tcn_ssl_ctxt_t::ctx is null
For me guard in tomcat-native ssl.c::setVerify also works
if (c->verify_mode == SSL_CVERIFY_REQUIRE)
verify |= SSL_VERIFY_PEER_STRICT;
if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
(c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
verify |= SSL_VERIFY_PEER;
if (!c->store) {
if (c->ctx == NULL) {
tcn_ThrowException(e, "context->ctx is null");
return;
}
c->store = SSL_CTX_get_cert_store(c->ctx);
}
#7 0x00007f719b2dc692 in JVM_handle_linux_signal () from
/opt/nps-jdk17.0.16/lib/server/libjvm.so
#8 <signal handler called>
#9 SSL_CTX_get_cert_store (ctx=0x0) at ssl/ssl_lib.c:4565
#10 0x00007f71980e0f4e in Java_org_apache_tomcat_jni_SSL_setVerify
(e=0x7f712c005dd0, o=<optimized out>, ssl=140124314928336, level=<optimized
out>, depth=10) at src/ssl.c:1181
09:02:49.240 ERROR {catalina-exec-3} [o.a.t.u.n.NioEndpoint] : Error running
socket processor
java.lang.Exception: context->ctx is null
at org.apache.tomcat.jni.SSL.setVerify(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.setClientAuth(OpenSSLEngine.java:1132)
at
org.apache.tomcat.util.net.openssl.OpenSSLEngine.setWantClientAuth(OpenSSLEngine.java:1107)
at
java.base/javax.net.ssl.SSLEngine.setSSLParameters(SSLEngine.java:1340)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLEngine(AbstractJsseEndpoint.java:163)
at
org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:305)
at
org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:154)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1753)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:975)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:493)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:842)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
