https://bz.apache.org/bugzilla/show_bug.cgi?id=63356
Bug ID: 63356 Summary: OCSP_parse_url error while parsing Authority Information Access extension Product: Tomcat Native Version: 1.2.16 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P2 Component: Library Assignee: dev@tomcat.apache.org Reporter: cwill...@blackridge.us Target Milestone: --- We had a customer that could not log into our web application from their browser. The problem occurred during the full handshake between the 2 APR connectors running in 2 separate webapp services in Tomcat: the webui client socket (port 8445) and our rest api server socket (port 8443). The error below indicates there was a malloc issue while parsing the OCSP entry in the AuthorityInfoAccess extension. The catalina.out file contained this “Handshake failed” message: Apr 08, 2019 10:59:04 PM org.apache.tomcat.util.net.AprEndpoint setSocketOptions FINE: Handshake failed: error:27072041:OCSP routines:OCSP_parse_url:malloc failure There did not appear to be a malloc issue. There was plenty of memory available when I ran top when this problem occurred. The few tcpdump dumps we have all show that the server port (8443) does a FIN/ACK followed by a RST after it issues a Server Hello Done and receives the client’s certificate. There is no alert in the tcpdump. Note that the log level of this error message is FINE (DEBUG), but for a handshake failure, I would expect a log level of SEVERE (ERROR). I contacted SafeLogic which handles our openssl package. They said it appears that Tomcat Native retrieves the OCSP url from the Authority Information Access X509 extension using its own parsing routines. It then calls the OpenSSL function OCSP_parse_url with the resulting url. The certificate did not contain an OCSP access entry in its Authority Information Access (AIA) extension. It only contained a CA-Issuers access entry. SafeLogic suspected that for this case Tomcat is passing a NULL url to OCSP_parse_url(), which would result in the above openssl error. The AIA entry in the certificate is as follows: Authority Information Access: CA Issuers – URI:http://wxyz-dc-01.wxyz.local/pki/WXYZ-DC-01.WXYZ.local_IssuingCA.crt We compiled libtcnative with OCSP disabled and the customer was able to log into the system in question. Software Versions: ------------------------ Tomcat 8.5.30 libtcnative-1_1.2.16F with APR FIPS-140 support openssl 1.0.2n Java 1.8.0_131 Ubuntu 16.04 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org