You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/04/01 14:55:06 UTC
[Bug 65991] New: NPE in SSLAuthenticator.java:201 if bindOnInit="false"
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
Bug ID: 65991
Summary: NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Product: Tomcat 9
Version: 9.0.62
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: michal@josifci.cz
Target Milestone: -----
When the https connector has bindOnInit="false" set, we are facing NPE in
SSLAuthenticator.java:201 and the webapp cannot start.
01-Apr-2022 16:38:17.047 SEVERE [main]
org.apache.catalina.startup.HostConfig.deployWAR Error deploying web
application archive [/home/michal/java/tomcat9-nodeA/webapps/upp.war]
java.lang.IllegalStateException: Error starting child
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:729)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1024)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1911)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
at
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:825)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:475)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:946)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386)
at
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:919)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:263)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:432)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:927)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.startup.Catalina.start(Catalina.java:772)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476)
Caused by: org.apache.catalina.LifecycleException: Failed to start
component
[SSLAuthenticator[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/upp]]]
at
org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
at
org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:176)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5147)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)
... 37 more
Caused by: java.lang.NullPointerException
at
org.apache.catalina.authenticator.SSLAuthenticator.startInternal(SSLAuthenticator.java:201)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
... 42 more
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65991] NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
--- Comment #4 from James Covington <ja...@gmail.com> ---
I had submitted a bug report 65994 which was marked as a duplicate of this. In
my case, I did not have bindOnInit set to false.
My SSL Connector:
<Connector address="0.0.0.0" port="8443" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" keystoreFile="/path/to/ssl.keystore"
keystorePass='redacted' keystoreType="JCEKS"
secure="true" truststoreFile="/path/to/ssl.truststore"
truststorePass='redacted' truststoreType="JCEKS"
clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384"
maxHttpHeaderSize="32768"
compression="on" compressibleMimeType="text/html, text/xml,
text/plain, application/json, application/javascript">
</Connector>
and my context.xml:
<Context>
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
securePagesWithPragma="false"/>
In my case, removing the Valve from context.xml also allowed startup to
succeed. Does your fix address this test case?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65991] NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |james.h.covington@gmail.com
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
*** Bug 65994 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65991] NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
--- Comment #5 from Remy Maucherat <re...@apache.org> ---
You will not get the NPE, but it is up to you to test it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65991] NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
--- Comment #6 from Amit Pande <am...@veritas.com> ---
Hello Remy,
Running into the same issue even without using bindOnInit as mentioned in
comment #4.
This is the connector configuration in use.
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100"
allowTrace="false" compressibleMimeType="text/html,text/javascript,text/css"
compression="on" compressionMinSize="10" connectionTimeout="20000"
disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192"
noCompressionUserAgents="gozilla, traviata" port="8443" scheme="https"
secure="true" useBodyEncodingForURI="true" xpoweredBy="false"
protocol="Http11NioProtocol">
<SSLHostConfig certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" honorCipherOrder="true" truststoreFile=""
truststorePassword="XXXX" >
<Certificate certificateKeystoreFile=""
certificateKeystorePassword="XXXX" />
</SSLHostConfig>
</Connector>
---
I see this in logs -
Caused by: org.apache.catalina.LifecycleException: Failed to start
component
[SSLAuthenticator[StandardEngine[Catalina].StandardHost[localhost].StandardContext[]]]
at
org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
at
org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:176)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5147)
... 10 more
Caused by: java.lang.NullPointerException
at
org.apache.catalina.authenticator.SSLAuthenticator.startInternal(SSLAuthenticator.java:201)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
... 13 more
Also, any inputs on why this is seen only on Linux and not on Windows.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65991] NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
--- Comment #2 from Remy Maucherat <re...@apache.org> ---
Logic was added to detect bad client cert configurations (where the valve would
require renegociation that cannot be done), but there seems to be a problem.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65991] NPE in SSLAuthenticator.java:201 if bindOnInit="false"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65991
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Remy Maucherat <re...@apache.org> ---
I was able to reproduce the problem with bindOnInit="false". The check for the
warning will now use the configured protocols rather than the actually enabled
protocols (which are known only after initializing everything) in that case.
Tomcat 10.1.0-M15, 10.0.21, 9.0.63, 8.5.79 will have the fix.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org