[Bug 69866] New: OpenSSLContexts leak across reload through JNI global reference when using truststore

Mon, 27 Oct 2025 14:30:41 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69866

            Bug ID: 69866
           Summary: OpenSSLContexts leak across reload through JNI global
                    reference when using truststore
           Product: Tomcat 10
           Version: 10.1.44
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ------

When using a truststore with the openssl provider,
https://github.com/apache/tomcat/blob/10.1.36/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java#L362
creates a CertificateVerifier (OpenSSLContext$1) and stores it as a global JNI
reference.  The created CertificateVerifier inner class keeps a strong
reference back to the OpenSSLContext itself so this JNI global becomes a leaked
reference chain that persists the OpenSSLContext and prevents it from becoming
unreachable to prompt execution of its cleanable.  That reference chain in a
heap dump:

Class Name                                                                  |
Ref. Objects | Shallow Heap | Ref. Shallow Heap | Retained Heap
----------------------------------------------------------------------------------------------------------------------------------------------
org.apache.tomcat.util.net.openssl.OpenSSLContext$1 @ 0x42b04b308 JNI Global|  
         1 |           16 |                48 |            16
'- this$0 org.apache.tomcat.util.net.openssl.OpenSSLContext @ 0x42b056c50   |  
         1 |           48 |                48 |         1,200
----------------------------------------------------------------------------------------------------------------------------------------------

For latest on main, the inner CertificateVerifier is changed to a lambda that
creates its own similar strong reference to still cause the same issue:

Class Name                                                                     
                     | Ref. Objects | Shallow Heap | Ref. Shallow Heap |
Retained Heap
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
org.apache.tomcat.util.net.openssl.OpenSSLContext$$Lambda+0x00007f870c142b78 @
0x4296f2a28 JNI Global|            1 |           16 |                48 |      
     16
'- arg$1 org.apache.tomcat.util.net.openssl.OpenSSLContext @ 0x4296f1a18       
                     |            1 |           48 |                48 |       
 1,200
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to