[Bug 69939] New: SIGSEGV triggered if a PEM-formated certificate lacdks explicit DH parametrs

bugzilla Tue, 27 Jan 2026 13:10:26 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=69939


            Bug ID: 69939
           Summary: SIGSEGV triggered if a PEM-formated certificate lacdks
                    explicit DH parametrs
           Product: Tomcat Native
           Version: 2.0.12
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Library
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 40148
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=40148&action=edit
Core dump report from the JVM

Using Tomcat 11.0.15 configured for using PEM-formated SSL certificates and the
native library, if the certificate file lacks embedded DH (or EC) parameters
the bootup sequence will segfault like so:

---------------
Current thread (0x000073033401b630):  JavaThread "main"            
[_thread_in_native, id=4142, stack(0x000073033825f000,0x000073033835f000)
(1024K)]

Stack: [0x000073033825f000,0x000073033835f000],  sp=0x000073033835c6d0,  free
space=1013k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [libcrypto.so.3+0x1a46d8]  EVP_PKEY_is_a+0x8
Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j 
org.apache.tomcat.jni.SSLContext.setCertificate(JLjava/lang/String;Ljava/lang/String;Ljava/lang/String;I)Z+0
j 
org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(Lorg/apache/tomcat/util/net/SSLHostConfigCertificate;)V+113
j 
org.apache.tomcat.util.net.openssl.OpenSSLContext.init([Ljavax/net/ssl/KeyManager;[Ljavax/net/ssl/TrustManager;Ljava/security/SecureRandom;)V+229
j 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(Ljava/util/List;)Lorg/apache/tomcat/util/net/SSLContext;+16
j 
org.apache.tomcat.util.net.AbstractEndpoint.createSSLContext(Lorg/apache/tomcat/util/net/SSLHostConfig;)V+104
j  org.apache.tomcat.util.net.AbstractEndpoint.initialiseSsl()V+54
j  org.apache.tomcat.util.net.NioEndpoint.bind()V+17
j  org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup()V+1
j  org.apache.tomcat.util.net.AbstractEndpoint.init()V+8
j  org.apache.coyote.AbstractProtocol.init()V+169
j  org.apache.coyote.http11.AbstractHttp11Protocol.init()V+57
j  org.apache.catalina.connector.Connector.initInternal()V+159
j  org.apache.catalina.util.LifecycleBase.init()V+29
j  org.apache.catalina.core.StandardService.initInternal()V+104
j  org.apache.catalina.util.LifecycleBase.init()V+29
j  org.apache.catalina.core.StandardServer.initInternal()V+79
j  org.apache.catalina.util.LifecycleBase.init()V+29
j  org.apache.catalina.startup.Catalina.load()V+78
j  org.apache.catalina.startup.Catalina.load([Ljava/lang/String;)V+9
j 
java.lang.invoke.DirectMethodHandle$Holder.invokeVirtual(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)V+11
[email protected]
j 
java.lang.invoke.LambdaForm$MH+0x000072e92c0cac00.invoke(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+52
[email protected]
j 
java.lang.invoke.Invokers$Holder.invokeExact_MT(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+20
[email protected]
j 
jdk.internal.reflect.DirectMethodHandleAccessor.invokeImpl(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+55
[email protected]
j 
jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+23
[email protected]
j 
java.lang.reflect.Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+102
[email protected]
j  org.apache.catalina.startup.Bootstrap.load([Ljava/lang/String;)V+94
j  org.apache.catalina.startup.Bootstrap.main([Ljava/lang/String;)V+314
v  ~StubRoutines::call_stub 0x0000730323c17cbf

siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr:
0x0000000000000060
---------------

Adding DH parameters solves the issue. This (apparently undocumented)
requirement breaks backwards compatibility with existing systems.

The code in question appears to have been added as part of 2.0.10.

Either the docs need to reflect and explain that PEM-formated certificates must
now include embedded DH (or EC) parameters in PEM format as well, or the
requirement should be dropped and DH (or EC) data made optional as it was
before.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 69939] New: SIGSEGV triggered if a PEM-formated certificate lacdks explicit DH parametrs

Reply via email to