[GitHub] [trafficcontrol] rawlinp opened a new pull request #5543: TR: Fix NullPointerException when given SNI hostname is null

Thu, 18 Feb 2021 13:10:48 -0800 


rawlinp opened a new pull request #5543:
URL: https://github.com/apache/trafficcontrol/pull/5543


   ## What does this PR (Pull Request) do?
   Fixes the following NPE found in the Tomcat logs:
   ```
   18-Feb-2021 01:05:43.142 SEVERE [https-openssl-nio-443-exec-9] 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
           java.lang.NullPointerException
                   at 
com.comcast.cdn.traffic_control.traffic_router.protocol.RouterNioEndpoint.getSSLHostConfig(RouterNioEndpoint.java:127)
                   at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLEngine(AbstractJsseEndpoint.java:110)
                   at 
org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:333)
                   at 
org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:179)
                   at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1606)
                   at 
com.comcast.cdn.traffic_control.traffic_router.protocol.RouterNioEndpoint$RouterSocketProcessor.doRun(RouterNioEndpoint.java:156)
                   at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                   at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                   at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                   at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                   at java.lang.Thread.run(Thread.java:748)
   ```
   I believe this is mostly just log pollution, because if a given SNI hostname 
doesn't match a valid delivery service certificate (or is null), TR will return 
the default certificate. This should cause TR to return a default certificate 
instead of whatever Tomcat does when it encounters a `NullPointerException`. 
I'm not exactly sure what it does from a client perspective when encountering a 
`NullPointerException`, but not including an SNI in the ssl connection doesn't 
seem like a valid request anyways.
   
   
   ## Which Traffic Control components are affected by this PR?
   - Traffic Router
   
   ## What is the best way to verify this PR?
   Make an https request to an https-enabled delivery service URL, ensure that 
TR still accepts and handles the request.
   
   ## If this is a bug fix, what versions of Traffic Control are affected?
   - master
   - 5.1.x
   - 5.0.x
   - 4.1.x
   
   ## The following criteria are ALL met by this PR
   
   - [x] Adding a new test suite for this seems like overkill
   - [x] Bugfix, no docs necessary
   - [x] This PR includes an update to CHANGELOG.md
   - [x] This PR includes any and all required license headers
   - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the 
Apache Software Foundation's security 
guidelines](https://www.apache.org/security/) for details)
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to