Bug 51437 - JVM crash when SSL connector is enabled
Summary: JVM crash when SSL connector is enabled
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: 1.1.20
Hardware: Other Windows Server 2003
: P2 blocker (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2011-06-27 11:48 UTC by oscar
Modified: 2011-06-30 04:29 UTC (History)
0 users

jvm stack trace (10.04 KB, application/octet-stream)
2011-06-27 11:48 UTC, oscar

Note You need to log in before you can comment on or make changes to this bug.
Description oscar 2011-06-27 11:48:42 UTC
Created attachment 27210 [details]
jvm stack trace


I'm trying to enable SSL on a tomcat 6.0.32 on a windows 2003 server machine with tcnative version 1.20.

When I add the following lines to the server.xml 

    <Connector port="8443" 

It crashes as:

C:\Tomcat 6.0\bin>tomcat6.exe
27-jun-2011 13:45:19 org.apache.catalina.core.AprLifecycleListener init
INFO: Cargada la biblioteca nativa APR de Apache Tomcat 1.1.20
27-jun-2011 13:45:19 org.apache.catalina.core.AprLifecycleListener init
INFO: Capacidades APR: IPv6 [true], enviar fichero [true], aceptar filtros [false], aleatorio [true].
27-jun-2011 13:45:19 org.apache.coyote.http11.Http11AprProtocol init
INFO: Inicializando Coyote HTTP/1.1 en puerto http-8181
# A fatal error has been detected by the Java Runtime Environment:
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x10009890, pid=5300, tid=2620
# JRE version: 6.0_26-b03
# Java VM: Java HotSpot(TM) Client VM (20.1-b02 mixed mode, sharing windows-x86 )
# Problematic frame:
# C  [tcnative-1.dll+0x9890]
# An error report file with more information is saved as:
# C:\Tomcat 6.0\hs_err_pid5300.log
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.

C:\Tomcat 6.0\bin>

It looks an error related to tcnative and SSL.

I attach the complete log.

Thanks a lot.
Comment 1 oscar 2011-06-28 17:19:35 UTC

Is there any new about this bug? a big project is stopped due to this error.

Thanks a lot.
Comment 2 Mladen Turk 2011-06-28 17:30:54 UTC
> SSLCACertificateFile="${catalina.base}/conf/ssl/CA/catcert.pem"

Are you sure this is a correct path?
Usually the file is named cacert.pem not catcert.pem

If you can confirm the typo has caused the crash, it would be a
good starting point in making sure it doesn't happen again.
Comment 3 oscar 2011-06-28 17:33:35 UTC
Yes, I'm sure.

It cames from Catcert (www.catcert.cat) which is our CA entity.

The complete path:

  C:\Tomcat 6.0\conf\ssl\CA\catcert.pem

Thanks a lot for your update.
Comment 4 Mladen Turk 2011-06-28 17:44:20 UTC
Have you tried without setting the SSLCACertificateFile
Also does your presidencia.key requires a password?
Comment 5 oscar 2011-06-29 07:31:42 UTC
Hi Mark, 

I have tried without the SSLCACertificateFile key but system raises the same error at startup.

presidencia.key does not require password.

Note that the certificate I'm using (crt + key + pem) is correctly working on another apache we have in our infraestructure.

Thanks a lot.
Comment 6 Mladen Turk 2011-06-29 07:51:14 UTC
By "another Apache" are you thinking of Apache Tomcat or Apache Http?
And yes, the crash happens before CA file.
If not sensitive can you send me privately those certs, since I newer saw this kind of error.
Comment 7 oscar 2011-06-29 08:00:54 UTC

I meant another apache web server (httpd).

Where can I send to you the certs ?

Thanks a lot.
Comment 8 oscar 2011-06-29 08:03:16 UTC
I have found your email and I have sent to you the certificates.
Comment 9 Mladen Turk 2011-06-29 14:09:12 UTC
You have a wrong certificate format.
It should be PEM not DER like in your case

Convert it to .pem
C:\> openssl x509 -trustout -inform DER -in presidencia.crt -outform PEM -out presidencia.pem

Then use
In your server.xml

However I'll leave this issue open, cause we have some problem in reporting that error.
Eg. it should throw something something like openssl.exe prints out:
c:\>openssl.exe s_server -cert presidencia.crt -key presidencia.key
unable to load certificate
1448:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

Instead crashing the JVM
Comment 10 oscar 2011-06-29 15:12:18 UTC

Transforming certificate into .PEM format makes system work perfectly.

Thanks a lot for your quick response.
Comment 11 Mladen Turk 2011-06-30 04:29:09 UTC
Fix in the SVN.
Like Apache Httpd's mod_ssl, the certificate will be loaded in DER format if PEM format indicates PEM_R_NO_START_LINE