Bug 60911 - NullpointerException in CoyoteAdapter.parseSessionSslId when using secure="true" on ajp-Connector
Summary: NullpointerException in CoyoteAdapter.parseSessionSslId when using secure="tr...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 7.0.53
Hardware: Other Linux
: P1 critical (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords: PatchAvailable, RFC
Depends on:
Blocks:
 
Reported: 2017-03-24 10:50 UTC by Didier Gutacker
Modified: 2017-03-26 16:53 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Didier Gutacker 2017-03-24 10:50:45 UTC
Prerequisits

enable the use of SSLSessionIds on an Apache HTTPD and tomcat (connected via ajp protocol with Apache HTTPD as TLS connection endpoint):

1. server.xml
 <Connector address="xx.xxx.xxx.xx" port="8009" protocol="AJP/1.3"
               redirectPort="8443" enableLookups="false" secure="true" />

2. mod_jk.conf:

JkExtractSSL On
JkSESSIONIndicator SSL_SESSION_ID

Some clients (for example safari, internet explorer 11, curl) are able to issue get requests to our application getting a http 200 response. Some clients (firefox 52, chrome, SoapUI 5.2.1) are getting a http 500 response.

Further investigation shows this stacktrace in our catalina.out log:
Mar 23, 2017 6:45:52 PM org.apache.coyote.ajp.AjpProcessor process
SEVERE: Error processing request
java.lang.NullPointerException
        at org.apache.catalina.connector.CoyoteAdapter.parseSessionSslId(CoyoteAdapter.java:909)
        at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:692)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:403)
        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

This is caused by a missing sslsessionId in this code:
request.setRequestedSessionId(request.getAttribute(SSLSupport.SESSION_ID_KEY).toString());

A close look with a debugger shows that the request attribute is not present and this leads to a NullpointerException because of the toString() method call on a null value.

Further reading in RFC 5077 section 3.4 (see https://tools.ietf.org/html/rfc5077#section-3.4) leads us to the conclusion that the client decides if it wants to include the session id in the request or not.
Thus the parseSessionSslId method should be aware of the possibility that the session id might be missing.

I think the Code in the parseSessionSslId method should look like this:
String sessionId = request.getAttribute(SSLSupport.SESSION_ID_KEY);
request.setRequestedSessionId(sessionId == null ?  sessionId : sessionId.toString());

Deeper investigation shows that this problem exists in tomcat 8 and 9 too.
Comment 1 Violeta Georgieva 2017-03-26 16:53:41 UTC
Hi,

Thanks for the report and the investigation.
The fix was committed in:
- trunk for 9.0.0.M19 onwards
- 8.5.x for 8.5.13 onwards
- 8.0.x for 8.0.43 onwards
- 7.0.x for 7.0.77 onwards

Regards,
Violeta