Bug 62712 - NPE in Manager TLS connector configuration diagnostics/Certificates
Summary: NPE in Manager TLS connector configuration diagnostics/Certificates
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Manager (show other bugs)
Version: 8.5.34
Hardware: HP HP-UX
: P2 major (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-12 14:56 UTC by Michael Osipov
Modified: 2018-09-12 19:55 UTC (History)
0 users



Attachments
Debugging session in Eclipse (252.45 KB, image/png)
2018-09-12 14:56 UTC, Michael Osipov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2018-09-12 14:56:07 UTC
Created attachment 36146 [details]
Debugging session in Eclipse

When pressing this button, I do get a NPE:

> java.lang.NullPointerException
> 	org.apache.catalina.manager.ManagerServlet.getConnectorCerts(ManagerServlet.java:1814)
> 	org.apache.catalina.manager.HTMLManagerServlet.sslConnectorCerts(HTMLManagerServlet.java:770)
> 	org.apache.catalina.manager.HTMLManagerServlet.doGet(HTMLManagerServlet.java:144)
> 	org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:227)
> 	javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
> 	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> 	org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:136)
> 	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> 	org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)

My server.xml is:

> <Connector port="8444" connectionTimeout="20000"
> 	maxHttpHeaderSize="24576" maxThreads="250"
> 	SSLEnabled="true" scheme="https" secure="true"
> 	defaultSSLHostConfigName="@main-host@">
> 	<SSLHostConfig hostName="@main-host@" protocols="TLSv1.2"
> 			honorCipherOrder="true" ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS">
> 			<Certificate certificateFile="/etc/opt/ssl/@main-host@/cert/public.pem"
> 					certificateKeyFile="/etc/opt/ssl/@main-host@/key/private.pem"
> 					certificateKeyPassword="@password@"
> 					type="RSA" />
> 	</SSLHostConfig>
> 	<SSLHostConfig hostName="@alias-host@" protocols="TLSv1.2"
> 			honorCipherOrder="true" ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS">
> 			<Certificate certificateFile="/etc/opt/ssl/@alias-host@/cert/public.pem"
> 					certificateKeyFile="/etc/opt/ssl/@alias-host@/key/private.pem"
> 					certificateKeyPassword="@password@"
> 					type="RSA" />
> 	</SSLHostConfig>
> </Connector>
>

Runtime config is:

> 2018-09-11T11:18:31.570 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Apache Tomcat/8.5.34
> 2018-09-11T11:18:31.577 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Sep 4 2018 22:28:22 UTC
> 2018-09-11T11:18:31.577 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:         8.5.34.0
> 2018-09-11T11:18:31.578 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               HP-UX
> 2018-09-11T11:18:31.578 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            B.11.31
> 2018-09-11T11:18:31.578 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          IA64N
> 2018-09-11T11:18:31.578 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java8/jre
> 2018-09-11T11:18:31.579 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0.14-hp-ux-b1
> 2018-09-11T11:18:31.579 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Hewlett Packard Enterprise Company
> 2018-09-11T11:18:31.579 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /var/opt/tomcat-services
> 2018-09-11T11:18:31.580 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /opt/apache-tomcat-8.5.34
> 2018-09-11T11:18:31.580 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/var/opt/tomcat-services/conf/logging.properties
> 2018-09-11T11:18:31.581 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> 2018-09-11T11:18:31.581 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms256M
> 2018-09-11T11:18:31.581 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx512M
> 2018-09-11T11:18:31.582 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xbootclasspath/p:/opt/apache-tomcat-8.5.34/bin/activedirectory-ldap-hack-0.2.1.jar
> 2018-09-11T11:18:31.582 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.awt.headless=true
> 2018-09-11T11:18:31.584 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dfile.encoding=UTF-8
> 2018-09-11T11:18:31.584 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.auth.login.config=/opt/apache-tomcat-8.5.34/conf/login.conf
> 2018-09-11T11:18:31.584 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djavax.security.auth.useSubjectCredsOnly=false
> 2018-09-11T11:18:31.585 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.krb5.conf=/etc/krb5.conf
> 2018-09-11T11:18:31.585 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Doracle.net.tns_admin=/net/smartld/admin/conf/oracle
> 2018-09-11T11:18:31.585 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Doracle.net.wallet_location=/net/smartld/admin/conf/oracle/wallet
> 2018-09-11T11:18:31.585 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
> 2018-09-11T11:18:31.586 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> 2018-09-11T11:18:31.586 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=027
> 2018-09-11T11:18:31.586 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true
> 2018-09-11T11:18:31.586 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dtomcat.systemEnv=IECMIG
> 2018-09-11T11:18:31.587 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dmail.smtp.host=@mail-server@
> 2018-09-11T11:18:31.587 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dmail.smtp.localhost=@main-host@
> 2018-09-11T11:18:31.587 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/opt/apache-tomcat-8.5.34/endorsed
> 2018-09-11T11:18:31.588 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/var/opt/tomcat-services
> 2018-09-11T11:18:31.588 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.34
> 2018-09-11T11:18:31.588 INFORMATION [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/var/opt/tomcat-services/temp
> 2018-09-11T11:18:31.589 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.17] using APR version [1.6.3].
> 2018-09-11T11:18:31.589 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
> 2018-09-11T11:18:31.589 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [true], useOpenSSL [true]
> 2018-09-11T11:18:31.605 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k  26 Jan 2017]
> 2018-09-11T11:18:32.264 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-8444"]
> 2018-09-11T11:18:32.601 INFORMATION [main] org.apache.catalina.startup.Catalina.load Initialization processed in 2366 ms
> 2018-09-11T11:18:32.669 INFORMATION [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
> 2018-09-11T11:18:32.670 INFORMATION [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.34

Please also see the attached screenshot. I assume that the code expects a JKS-based approach while I am using PEM files for OpenSSL.

Are those buttons actually suited for non-JSSE?
Comment 1 Michael Osipov 2018-09-12 14:56:54 UTC
The same happens for Trusted Certificates.
Comment 2 Mark Thomas 2018-09-12 16:37:44 UTC
It is the APR connector it doesn't like. Neither NIO+JSSE and NIO+OpenSSL trigger an NPE in this case. It happens in 9.0.x as well. Investigating...
Comment 3 Michael Osipov 2018-09-12 19:29:16 UTC
The same issue applies to the button below the one mentioned. Shall I spawn a new ticket for that?
Comment 4 Mark Thomas 2018-09-12 19:42:26 UTC
No need. I'll have it patched shortly.
Comment 5 Mark Thomas 2018-09-12 19:49:04 UTC
Thanks for the report.

Fixed in:
- trunk for 9.0.13 onwards
- 8.5.x for 8.5.35 onwards
Comment 6 Michael Osipov 2018-09-12 19:55:52 UTC
(In reply to Mark Thomas from comment #5)
> Thanks for the report.
> 
> Fixed in:
> - trunk for 9.0.13 onwards
> - 8.5.x for 8.5.35 onwards

Charming, thanks!