Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4303

NullPointerException - with SNI configured on IBM JDK 1.8

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • None
    • Security
    • None
    • Hide
      1. get and unzip WildFly 15.0.1.Final server
      2. start it with IBM JDK 
        JAVA_HOME=<path_to_ibm_jdk> ./bin/standalone.sh
      3. go to WildFly home and prepare keystores: 
        keytool -genkeypair -alias default-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/default.keystore.jks -dname "CN=default" -keypass secret -storepass secret
keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret
      4. start server, connect to CLI and configure SNI mappings: 
        /subsystem=elytron/key-store=defaultKS:add(path=default.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm="IbmX509",credential-reference={clear-text=secret})
/subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm="IbmX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=["TLSv1.2"])
/subsystem=elytron/server-ssl-sni-context=sniSSC:add(default-ssl-context=defaultSSC, host-context-map={".*\\.example\\.com"=asteriskSSC})
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC)
run-batch
reload
      5. try to access any URL on HTTPS listener and see mentioned exception: 
        curl https://localhost:8443 -k
      Show
      get and unzip WildFly 15.0.1.Final server start it with IBM JDK JAVA_HOME=<path_to_ibm_jdk> ./bin/standalone.sh go to WildFly home and prepare keystores: keytool -genkeypair -alias default -cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/ default .keystore.jks -dname "CN= default " -keypass secret -storepass secret keytool -genkeypair -alias asterisk-cert -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/asterisk.keystore.jks -dname "CN=asterisk" -keypass secret -storepass secret start server, connect to CLI and configure SNI mappings: /subsystem=elytron/key-store=defaultKS:add(path= default .keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=asteriskKS:add(path=asterisk.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=defaultKM:add(key-store=defaultKS,algorithm= "IbmX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=asteriskKM:add(key-store=asteriskKS,algorithm= "IbmX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=defaultSSC:add(key-manager=defaultKM,protocols=[ "TLSv1.2" ]) /subsystem=elytron/server-ssl-context=asteriskSSC:add(key-manager=asteriskKM,protocols=[ "TLSv1.2" ]) /subsystem=elytron/server-ssl-sni-context=sniSSC:add( default -ssl-context=defaultSSC, host-context-map={ ".*\\.example\\.com" =asteriskSSC}) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=sniSSC) run-batch reload try to access any URL on HTTPS listener and see mentioned exception: curl https: //localhost:8443 -k

    Description

      When running with IBM JDK 1.8, there is an NPE during the request performed against https-listener which has configured 'server-ssl-sni-context' instance (when using standard 'server-ssl-context' no exception is present):

      $ curl https://localhost:8443 -k
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8443

      related exception in server.log:

      18:23:01,227 ERROR [io.undertow.request.io] (default I/O-6) UT005090: Unexpected failure: java.lang.NullPointerException
	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:772)
	at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
	at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
	at io.undertow.server.protocol.http.AlpnOpenListener$AlpnConnectionListener.handleEvent(AlpnOpenListener.java:348)
	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:305)
	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:64)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:131)
	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)

      When I switch to OpenSSL provider using

      /subsystem=elytron/server-ssl-context=defaultSSC:write-attribute(name=providers,value=openssl)

      then the exception disappears.

      Note: sometimes I can also see shorter exception stacktrace:

      18:17:15,711 ERROR [io.undertow.request.io] (default I/O-2) UT005090: Unexpected failure: java.lang.NullPointerException
	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:772)
	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:648)
	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
	at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1136)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      Attachments

        Activity

          People

            dvilkola@redhat.com Diana Krepinska
            jstourac@redhat.com Jan Stourac
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: