On 2024/05/15 20:35:08 Michael Osipov wrote: > On 2024/05/15 14:41:43 Michael Osipov wrote: > > Good news. I can reproduce on Windows: > > 15-May-2024 16:40:31.092 INFORMATION [main] > > org.apache.coyote.AbstractProtocol.init Initialisiere > > ProtocolHandler["https-openssl-apr-18444"] > > 15-May-2024 16:40:31.144 WARNUNG [main] > > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the > > [ciphers] attribute in a manner consistent with the latest OpenSSL > > development branch. Some of the specified [ciphers] are not supported by > > the configured SSL engine for this connector (which may use JSSE or an > > older OpenSSL version) and have been skipped: > > [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, > > TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]] > > # > > # A fatal error has been detected by the Java Runtime Environment: > > # > > # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000024928d5cd10, > > pid=33136, tid=0x00000000000055b8 > > # > > # JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) > > (8.0_362-b09) (build 1.8.0_362-b09) > > # Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 > > compressed oops) > > # Problematic frame: > > # C [tcnative-1.dll+0xccd10] > > # > > # Failed to write core dump. Minidumps are not enabled by default on client > > versions of Windows > > # > > # An error report file with more information is saved as: > > # C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log > > # > > # If you would like to submit a bug report, please visit: > > # http://www.azul.com/support/ > > # The crash happened outside the Java Virtual Machine in native code. > > # See problematic frame for where to report the bug. > > # > > > > I will do a custom build of Tomcat Native and see where it crashes. Stay > > tuned. > > Found the bug: It is either a flaw or uncertainty in OpenSSL. Details follow > tomorrow.
Details: Reported the issue upstream: https://github.com/openssl/openssl/issues/24416 I will push a temporary fix until upstream does properly handle NULL input. Partially OT: After testing here in and out I am convinced that the code after SSL_CTX_load_verify_locations() does absolutely not that what the author intended to do. The code block messes up CA certification for client verification with the request DNs for client cert auth. I will report a separate issue because it is unrelated. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org