65991 – NPE in SSLAuthenticator.java:201 if bindOnInit="false"

Bug 65991 - NPE in SSLAuthenticator.java:201 if bindOnInit="false"

Summary: NPE in SSLAuthenticator.java:201 if bindOnInit="false"

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 9
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	9.0.62
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	-----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Duplicates (1):	65994 (view as bug list)
Depends on:
Blocks:

Reported:	2022-04-01 14:55 UTC by Michal Josifek
Modified:	2022-04-11 18:40 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michal Josifek 2022-04-01 14:55:06 UTC

When the https connector has bindOnInit="false" set, we are facing NPE in SSLAuthenticator.java:201 and the webapp cannot start.

01-Apr-2022 16:38:17.047 SEVERE [main] org.apache.catalina.startup.HostConfig.deployWAR Error deploying web application archive [/home/michal/java/tomcat9-nodeA/webapps/upp.war]
	java.lang.IllegalStateException: Error starting child
		at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:729)
		at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
		at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
		at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1024)
		at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1911)
		at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
		at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
		at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
		at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
		at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:825)
		at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:475)
		at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618)
		at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
		at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
		at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
		at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
		at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:946)
		at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396)
		at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386)
		at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
		at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
		at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
		at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:919)
		at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:263)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardService.startInternal(StandardService.java:432)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:927)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
		at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476)
	Caused by: org.apache.catalina.LifecycleException: Failed to start component [SSLAuthenticator[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/upp]]]
		at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
		at org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:176)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5147)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)
		... 37 more
	Caused by: java.lang.NullPointerException
		at org.apache.catalina.authenticator.SSLAuthenticator.startInternal(SSLAuthenticator.java:201)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		... 42 more

Comment 1 Remy Maucherat 2022-04-05 16:08:51 UTC

*** Bug 65994 has been marked as a duplicate of this bug. ***

Comment 2 Remy Maucherat 2022-04-05 16:10:04 UTC

Logic was added to detect bad client cert configurations (where the valve would require renegociation that cannot be done), but there seems to be a problem.

Comment 3 Remy Maucherat 2022-04-06 08:42:03 UTC

I was able to reproduce the problem with bindOnInit="false". The check for the warning will now use the configured protocols rather than the actually enabled protocols (which are known only after initializing everything) in that case. Tomcat 10.1.0-M15, 10.0.21, 9.0.63, 8.5.79 will have the fix.

Comment 4 James Covington 2022-04-06 12:31:43 UTC

I had submitted a bug report 65994 which was marked as a duplicate of this. In my case, I did not have bindOnInit set to false.
My SSL Connector:
<Connector address="0.0.0.0" port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
         maxThreads="150" scheme="https" keystoreFile="/path/to/ssl.keystore" keystorePass='redacted' keystoreType="JCEKS"
         secure="true" truststoreFile="/path/to/ssl.truststore" truststorePass='redacted' truststoreType="JCEKS"
         clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
         TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
         TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384"
         maxHttpHeaderSize="32768"
         compression="on" compressibleMimeType="text/html, text/xml, text/plain, application/json, application/javascript">
</Connector>

and my context.xml:
<Context>
        <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" securePagesWithPragma="false"/>

In my case, removing the Valve from context.xml also allowed startup to succeed. Does your fix address this test case?

Comment 5 Remy Maucherat 2022-04-06 13:09:09 UTC

You will not get the NPE, but it is up to you to test it.

Comment 6 Amit Pande 2022-04-11 18:40:03 UTC

Hello Remy,

Running into the same issue even without using bindOnInit as mentioned in comment #4.

This is the connector configuration in use.

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" allowTrace="false" compressibleMimeType="text/html,text/javascript,text/css" compression="on" compressionMinSize="10" connectionTimeout="20000"  disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" noCompressionUserAgents="gozilla, traviata" port="8443" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false" protocol="Http11NioProtocol">
                        <SSLHostConfig certificateVerification="none" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" honorCipherOrder="true" truststoreFile="" truststorePassword="XXXX" >
                                <Certificate certificateKeystoreFile="" certificateKeystorePassword="XXXX" />
                        </SSLHostConfig>
</Connector>

---

I see this in logs -

        Caused by: org.apache.catalina.LifecycleException: Failed to start component [SSLAuthenticator[StandardEngine[Catalina].StandardHost[localhost].StandardContext[]]]
                at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
                at org.apache.catalina.core.StandardPipeline.startInternal(StandardPipeline.java:176)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5147)
                ... 10 more
        Caused by: java.lang.NullPointerException
                at org.apache.catalina.authenticator.SSLAuthenticator.startInternal(SSLAuthenticator.java:201)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                ... 13 more

Also, any inputs on why this is seen only on Linux and not on Windows.