[
https://issues.apache.org/jira/browse/GEODE-7157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16921792#comment-16921792
]
John Blum commented on GEODE-7157:
----------------------------------
To make matters worse... this class exposes and uses a {{static}} API, that is
referenced from the {{SocketCreatorFactory}} no less.
Therefore, if an existing GemFire cluster/member lingers at all (because
perhaps it did not shut itself down properly), it is then possible to pollute
the JVM process, especially if the test framework does not "fork" VMs between
test runs (which it should not have to do, either!).
> SSLConfigurationFactory and SSLConfig are NOT Thread-safe!
> ----------------------------------------------------------
>
> Key: GEODE-7157
> URL: https://issues.apache.org/jira/browse/GEODE-7157
> Project: Geode
> Issue Type: Bug
> Components: configuration, core, security
> Reporter: John Blum
> Priority: Critical
>
> {{SSLConfig}} is a "_shared_" object (if you carefully analyze the
> {{SSLConfigurationFactory}} class) and needs to be Thread-safe!!
> {{SSLConfigurationFactory}} does NOT properly guard all access points to the
> (once again) "_shared_" {{registeredSSLConfig}} {{Map}} instance.
> Furthermore, this class also uses an non-Thread-safe {{Map}} implementation
> for {{registeredSSLConfig}}, i.e. {{HashMap}}, to "cache" {{SSLConfig}}
> objects, which is "safe" iff "_all_" access to this "shared"
> {{registeredSSLConfig}} {{Map}} instance is "{{synchronized}}", which it
> isn't (!!) ... e.g. {{SSLConfigurationFactory.close()}}, which subsequently
> calls {{clearSSLConfigForAllComponents()}}, which "_clears_" the
> {{registeredSSLConfig}} {{Map}}. Because it is not properly protected, it is
> possible to see stale state, especially between tests!!!
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
