This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push: new 95208c4a14 Fix BZ 67929 - TLS config reload can trigger JVM crash 95208c4a14 is described below commit 95208c4a14cf8fe03518b2c4fbb84060f740589e Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Nov 2 18:26:01 2023 +0000 Fix BZ 67929 - TLS config reload can trigger JVM crash --- java/org/apache/tomcat/util/net/SSLHostConfig.java | 4 ++-- java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java | 2 +- webapps/docs/changelog.xml | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java index a447c7fec0..9917fe6673 100644 --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java @@ -73,11 +73,11 @@ public class SSLHostConfig implements Serializable { private String hostName = DEFAULT_SSL_HOST_NAME; - private transient Long openSslConfContext = Long.valueOf(0); + private transient volatile Long openSslConfContext = Long.valueOf(0); // OpenSSL can handle multiple certs in a single config so the reference to // the context is here at the virtual host level. JSSE can't so the // reference is held on the certificate. - private transient Long openSslContext = Long.valueOf(0); + private transient volatile Long openSslContext = Long.valueOf(0); private boolean tls13RenegotiationAvailable = false; diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java index 68a6d2d378..4b7b2a4c70 100644 --- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java +++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java @@ -53,7 +53,7 @@ public class SSLHostConfigCertificate implements Serializable { // OpenSSL can handle multiple certs in a single config so the reference to // the context is at the virtual host level. JSSE can't so the reference is // held here on the certificate. - private transient SSLContext sslContext; + private transient volatile SSLContext sslContext; // Common private final SSLHostConfig sslHostConfig; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 861dc68a28..480626a10f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -169,6 +169,10 @@ than the combinations supported by the JVM by default. Specifically, support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) </fix> + <fix> + <bug>67927</bug>: Reloading TLS configuration can cause the Connector to + refuse new connections or the JVM to crash. (markt) + </fix> </changelog> </subsection> <subsection name="WebSocket"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org