You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/03/24 10:50:45 UTC
[Bug 60911] New: NullpointerException in
CoyoteAdapter.parseSessionSslId when using secure="true" on ajp-Connector
https://bz.apache.org/bugzilla/show_bug.cgi?id=60911
Bug ID: 60911
Summary: NullpointerException in
CoyoteAdapter.parseSessionSslId when using
secure="true" on ajp-Connector
Product: Tomcat 7
Version: 7.0.53
Hardware: Other
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: gutacker@online.de
Target Milestone: ---
Prerequisits
enable the use of SSLSessionIds on an Apache HTTPD and tomcat (connected via
ajp protocol with Apache HTTPD as TLS connection endpoint):
1. server.xml
<Connector address="xx.xxx.xxx.xx" port="8009" protocol="AJP/1.3"
redirectPort="8443" enableLookups="false" secure="true" />
2. mod_jk.conf:
JkExtractSSL On
JkSESSIONIndicator SSL_SESSION_ID
Some clients (for example safari, internet explorer 11, curl) are able to issue
get requests to our application getting a http 200 response. Some clients
(firefox 52, chrome, SoapUI 5.2.1) are getting a http 500 response.
Further investigation shows this stacktrace in our catalina.out log:
Mar 23, 2017 6:45:52 PM org.apache.coyote.ajp.AjpProcessor process
SEVERE: Error processing request
java.lang.NullPointerException
at
org.apache.catalina.connector.CoyoteAdapter.parseSessionSslId(CoyoteAdapter.java:909)
at
org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:692)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:403)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
This is caused by a missing sslsessionId in this code:
request.setRequestedSessionId(request.getAttribute(SSLSupport.SESSION_ID_KEY).toString());
A close look with a debugger shows that the request attribute is not present
and this leads to a NullpointerException because of the toString() method call
on a null value.
Further reading in RFC 5077 section 3.4 (see
https://tools.ietf.org/html/rfc5077#section-3.4) leads us to the conclusion
that the client decides if it wants to include the session id in the request or
not.
Thus the parseSessionSslId method should be aware of the possibility that the
session id might be missing.
I think the Code in the parseSessionSslId method should look like this:
String sessionId = request.getAttribute(SSLSupport.SESSION_ID_KEY);
request.setRequestedSessionId(sessionId == null ? sessionId :
sessionId.toString());
Deeper investigation shows that this problem exists in tomcat 8 and 9 too.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60911] NullpointerException in CoyoteAdapter.parseSessionSslId
when using secure="true" on ajp-Connector
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60911
Didier Gutacker <gu...@online.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable, RFC
Priority|P2 |P1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60911] NullpointerException in CoyoteAdapter.parseSessionSslId
when using secure="true" on ajp-Connector
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60911
Violeta Georgieva <vi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Violeta Georgieva <vi...@apache.org> ---
Hi,
Thanks for the report and the investigation.
The fix was committed in:
- trunk for 9.0.0.M19 onwards
- 8.5.x for 8.5.13 onwards
- 8.0.x for 8.0.43 onwards
- 7.0.x for 7.0.77 onwards
Regards,
Violeta
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org