[jboss-jira] [JBoss JIRA] (WFCORE-4303) NullPointerException - with SNI configured on IBM JDK 1.8
Jan Stourac (Jira)
issues at jboss.org
Wed May 29 06:50:00 EDT 2019
[ https://issues.jboss.org/browse/WFCORE-4303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Stourac updated WFCORE-4303:
--------------------------------
Steps to Reproduce:
# get and unzip WildFly 15.0.1.Final server
# start it with IBM JDK
{code}
JAVA_HOME=<path_to_ibm_jdk> ./bin/standalone.sh
{code}
# go to WildFly home and prepare keystores:
{code}
keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret
keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret
{code}
# start server, connect to CLI and configure SNI mappings:
{code}
/subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="IbmX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="IbmX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={".*\\.example\\.com"=asteriskSSC})
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC)
run-batch
reload
{code}
# try to access any URL on HTTPS listener and see mentioned exception:
{code}
curl https://localhost:8443 -k
{code}
was:
# get and unzip WildFly server
# start it with IBM JDK
{code}
JAVA_HOME=<path_to_ibm_jdk> ./bin/standalone.sh
{code}
# go to WildFly home and prepare keystores:
{code}
keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret
keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret
{code}
# start server, connect to CLI and configure SNI mappings:
{code}
/subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="IbmX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="IbmX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={".*\\.example\\.com"=asteriskSSC})
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC)
run-batch
reload
{code}
# try to access any URL on HTTPS listener and see mentioned exception:
{code}
curl https://localhost:8443 -k
{code}
> NullPointerException - with SNI configured on IBM JDK 1.8
> ---------------------------------------------------------
>
> Key: WFCORE-4303
> URL: https://issues.jboss.org/browse/WFCORE-4303
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Environment: IBM JDK 1.8:
> {code}
> java version "1.8.0_181"
> Java(TM) SE Runtime Environment (build 8.0.5.20 - pxa6480sr5fp20-20180802_01(SR5 FP20))
> IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20180731_393394 (JIT enabled, AOT enabled)
> OpenJ9 - bd23af8
> OMR - ca1411c
> IBM - 98805ca)
> JCL - 20180719_01 based on Oracle jdk8u181-b12
> {code}
> Reporter: Jan Stourac
> Assignee: Diana Vilkolakova
> Priority: Major
>
> When running with IBM JDK 1.8, there is an NPE during the request performed against https-listener which has configured 'server-ssl-sni-context' instance (when using standard 'server-ssl-context' no exception is present):
> {code}
> $ curl https://localhost:8443 -k
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443
> {code}
> related exception in server.log:
> {code}
> 18:23:01,227 ERROR [io.undertow.request.io] (default I/O-6) UT005090: Unexpected failure: java.lang.NullPointerException
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:772)
> at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
> at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
> at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:348)
> at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:305)
> at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:64)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
> at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:131)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
> {code}
> When I switch to OpenSSL provider using
> {code}
> /subsystem=elytron/server-ssl-context=defaultSSC:write-attribute(name=providers,value=openssl)
> {code}
> then the exception disappears.
> ----
> Note: sometimes I can also see shorter exception stacktrace:
> {code}
> 18:17:15,711 ERROR [io.undertow.request.io] (default I/O-2) UT005090: Unexpected failure: java.lang.NullPointerException
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:772)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:648)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1136)
> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list