Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.2.0.CD12
Affects Version/s: 7.1.0.ER3
Component/s: Undertow
Labels:
- fixed_upstream

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.2.0.GA
Git Pull Request:
https://github.com/undertow-io/undertow/commit/8713c95dc01d21522754abf55a3198d820a87d80
Steps to Reproduce:
Hide

Unzip EAP zip archive and start via ./bin/standalone.sh

Prepare keys, keystores and truststores:

keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore bad.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret

Configure server-side SSL

/subsystem=elytron/key-store=twoWayKSserver:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTSserver:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKMserver:add(key-store=twoWayKSserver,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTMserver:add(key-store=twoWayTSserver,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSCserver:add(providers=openssl,key-manager=twoWayKMserver,protocols=["TLSv1.2"],trust-manager=twoWayTMserver,need-client-auth=true) batch /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSCserver) run-batch

Prepare client-side SSL:

/subsystem=elytron/key-store=twoWayKSclient:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTSclient:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKMclient:add(key-store=twoWayKSclient,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTMclient:add(key-store=twoWayTSclient,algorithm="SunX509") /subsystem=elytron/client-ssl-context=twoWaySSCclient:add(providers=openssl,key-manager=twoWayKMclient,protocols=["TLSv1.2"],trust-manager=twoWayTMclient) /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSCclient,scheme=https) /subsystem=undertow/server=default-server/host=default-host/location=\/proxy:add(handler=my-proxy) reload

Import client.p12 certificate into your client

Perform request to https://localhost:8443/proxy - this should succeed and no exception in the log

Now let's change clients certificate which server does not trust:

/subsystem=elytron/key-store=bad:add(type=JKS,path=bad.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=bad:add(key-store=bad,credential-reference={clear-text=secret}) /subsystem=elytron/client-ssl-context=twoWaySSCclient:write-attribute(name=key-manager,value=bad) reload

Perform request to https://localhost:8443/proxy again and see exceptions in the server.log
Show
Unzip EAP zip archive and start via ./bin/standalone.sh Prepare keys, keystores and truststores: keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore bad.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret Configure server-side SSL /subsystem=elytron/key-store=twoWayKSserver:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTSserver:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKMserver:add(key-store=twoWayKSserver,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTMserver:add(key-store=twoWayTSserver,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSCserver:add(providers=openssl,key-manager=twoWayKMserver,protocols=[ "TLSv1.2" ],trust-manager=twoWayTMserver,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSCserver) run-batch Prepare client-side SSL: /subsystem=elytron/key-store=twoWayKSclient:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTSclient:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKMclient:add(key-store=twoWayKSclient,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTMclient:add(key-store=twoWayTSclient,algorithm= "SunX509" ) /subsystem=elytron/client-ssl-context=twoWaySSCclient:add(providers=openssl,key-manager=twoWayKMclient,protocols=[ "TLSv1.2" ],trust-manager=twoWayTMclient) /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSCclient,scheme=https) /subsystem=undertow/server= default -server/host= default -host/location=\/proxy:add(handler=my-proxy) reload Import client.p12 certificate into your client Perform request to https://localhost:8443/proxy - this should succeed and no exception in the log Now let's change clients certificate which server does not trust: /subsystem=elytron/key-store=bad:add(type=JKS,path=bad.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret}) /subsystem=elytron/key-manager=bad:add(key-store=bad,credential-reference={clear-text=secret}) /subsystem=elytron/client-ssl-context=twoWaySSCclient:write-attribute(name=key-manager,value=bad) reload Perform request to https://localhost:8443/proxy again and see exceptions in the server.log

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When I configure EAP to use reverse-proxy against itself with wrong client-side certificate, I can see some NPE in server.log:

18:27:41,500 ERROR [io.undertow.proxy] (default I/O-2) UT005028: Proxy request to /proxy failed: java.nio.channels.ClosedChannelException
        at io.undertow.client.http.HttpClientConnection$5.handleEvent(HttpClientConnection.java:194)
        at io.undertow.client.http.HttpClientConnection$5.handleEvent(HttpClientConnection.java:173)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.StreamConnection.invokeCloseListener(StreamConnection.java:80)
        at org.xnio.Connection.writeClosed(Connection.java:117)
        at io.undertow.protocols.ssl.UndertowSslConnection.writeClosed(UndertowSslConnection.java:145)
        at io.undertow.protocols.ssl.SslConduit.notifyWriteClosed(SslConduit.java:588)
        at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:625)
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:713)
        at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:648)
        at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1100)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)

18:27:41,501 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
        at io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:102)
        at io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:660)
        at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
        at org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:413)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:409)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
        at io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1227)
        at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)

18:27:41,501 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
        at io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:102)
        at io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:660)
        at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
        at org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:413)
        at org.xnio.ChannelListeners$14.handleEvent(ChannelListeners.java:409)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
        at io.undertow.protocols.ssl.SslConduit$SslWriteReadyHandler.writeReady(SslConduit.java:1227)
        at io.undertow.protocols.ssl.SslConduit$3.run(SslConduit.java:275)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)

See 'Steps to Reproduce' to reproduce the issue.

We should generally avoid NPEs.

is cloned by

UNDERTOW-1154 NPE when accessing via HttpClientConnection with wrong bad certificate

Resolved

is incorporated by

WFCORE-3394 Upgrade Undertow from 1.4.18 to 1.4.21.Final

Resolved

Assignee:: Romain Pelisse

Reporter:: Jan Stourac

Tester:: Jan Stourac

QA Contact:: Jan Stourac

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2017/08/08 1:10 PM

Updated:: 2024/09/02 3:09 PM

Resolved:: 2018/02/06 6:45 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates