You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2022/04/05 18:53:31 UTC
[tomcat] branch 8.5.x updated: 65991: Avoid NPE when checking for client cert
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 59c807b0d1 65991: Avoid NPE when checking for client cert
59c807b0d1 is described below
commit 59c807b0d14b64fd3b4bc95674f13febd3a46068
Author: remm <re...@apache.org>
AuthorDate: Tue Apr 5 20:45:59 2022 +0200
65991: Avoid NPE when checking for client cert
SSLAuthenticator would throw a NPE when boundOnInit was used on one of
the connectors since enabledProtocols is null until the connector is
started. Fall back on protocols when that happens (it is what is
configured, rather than what is actually used, so it's not as good).
---
java/org/apache/catalina/authenticator/SSLAuthenticator.java | 4 ++++
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 13 insertions(+)
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index a406061314..0f6955bee1 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -198,6 +198,10 @@ public class SSLAuthenticator extends AuthenticatorBase {
for (SSLHostConfig sslHostConfig : sslHostConfigs) {
if (!sslHostConfig.isTls13RenegotiationAvailable()) {
String[] enabledProtocols = sslHostConfig.getEnabledProtocols();
+ if (enabledProtocols == null) {
+ // Possibly boundOnInit is used, so use the less accurate protocols
+ enabledProtocols = sslHostConfig.getProtocols().toArray(new String[0]);
+ }
for (String enbabledProtocol : enabledProtocols) {
if (Constants.SSL_PROTO_TLSv1_3.equals(enbabledProtocol)) {
log.warn(sm.getString("sslAuthenticatorValve.tls13", context.getName(), host.getName(), connector));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 10d4d3a57a..9498e8286f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 8.5.79 (schultz)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>65991</bug>: Avoid NPE with <code>SSLAuthenticator</code> when
+ <code>boundOnInit</code> is used on a connector, during the check
+ for client certificate authentication availability. (remm)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 8.5.78 (markt)" rtext="2022-04-01">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org