On Thu, Nov 2, 2023 at 7:37 PM <[email protected]> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 55e8e599b1 Fix BZ 67929 - TLS config reload can trigger JVM crash
> 55e8e599b1 is described below
>
> commit 55e8e599b17f512ebdab6860237bed6f73096321
> Author: Mark Thomas <[email protected]>
> AuthorDate: Thu Nov 2 18:26:01 2023 +0000
>
> Fix BZ 67929 - TLS config reload can trigger JVM crash
> ---
> java/org/apache/tomcat/util/net/SSLHostConfig.java | 4 ++--
> java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java | 2 +-
> webapps/docs/changelog.xml | 4 ++++
> 3 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
> b/java/org/apache/tomcat/util/net/SSLHostConfig.java
> index a447c7fec0..9917fe6673 100644
> --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
> +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
> @@ -73,11 +73,11 @@ public class SSLHostConfig implements Serializable {
>
> private String hostName = DEFAULT_SSL_HOST_NAME;
>
> - private transient Long openSslConfContext = Long.valueOf(0);
> + private transient volatile Long openSslConfContext = Long.valueOf(0);
> // OpenSSL can handle multiple certs in a single config so the reference
> to
> // the context is here at the virtual host level. JSSE can't so the
> // reference is held on the certificate.
> - private transient Long openSslContext = Long.valueOf(0);
> + private transient volatile Long openSslContext = Long.valueOf(0);
I don't understand the purpose of this (in trunk).
This is only used by the manager servlet (as a pseudo boolean) to
display various certificate info, but then the default (when it is 0)
should work fine anyway.
Am I missing anything ?
Rémy
> private boolean tls13RenegotiationAvailable = false;
>
> diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
> b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
> index 68a6d2d378..4b7b2a4c70 100644
> --- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
> +++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
> @@ -53,7 +53,7 @@ public class SSLHostConfigCertificate implements
> Serializable {
> // OpenSSL can handle multiple certs in a single config so the reference
> to
> // the context is at the virtual host level. JSSE can't so the reference
> is
> // held here on the certificate.
> - private transient SSLContext sslContext;
> + private transient volatile SSLContext sslContext;
>
> // Common
> private final SSLHostConfig sslHostConfig;
> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> index af16534c0d..9ec87f1caf 100644
> --- a/webapps/docs/changelog.xml
> +++ b/webapps/docs/changelog.xml
> @@ -180,6 +180,10 @@
> than the combinations supported by the JVM by default. Specifically,
> support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
> </fix>
> + <fix>
> + <bug>67927</bug>: Reloading TLS configuration can cause the
> Connector to
> + refuse new connections or the JVM to crash. (markt)
> + </fix>
> </changelog>
> </subsection>
> <subsection name="Jasper">
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
