https://bz.apache.org/bugzilla/show_bug.cgi?id=63356
Bug ID: 63356
Summary: OCSP_parse_url error while parsing Authority
Information Access extension
Product: Tomcat Native
Version: 1.2.16
Hardware: Other
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: cwill...@blackridge.us
Target Milestone: ---
We had a customer that could not log into our web application from their
browser. The problem occurred during the full handshake between the 2 APR
connectors running in 2 separate webapp services in Tomcat: the webui client
socket (port 8445) and our rest api server socket (port 8443).
The error below indicates there was a malloc issue while parsing the OCSP entry
in the AuthorityInfoAccess extension. The catalina.out file contained this
“Handshake failed” message:
Apr 08, 2019 10:59:04 PM org.apache.tomcat.util.net.AprEndpoint
setSocketOptions
FINE: Handshake failed: error:27072041:OCSP routines:OCSP_parse_url:malloc
failure
There did not appear to be a malloc issue. There was plenty of memory available
when I ran top when this problem occurred.
The few tcpdump dumps we have all show that the server port (8443) does a
FIN/ACK followed by a RST after it issues a Server Hello Done and receives the
client’s certificate. There is no alert in the tcpdump. Note that the log level
of this error message is FINE (DEBUG), but for a handshake failure, I would
expect a log level of SEVERE (ERROR).
I contacted SafeLogic which handles our openssl package. They said it appears
that Tomcat Native retrieves the OCSP url from the Authority Information Access
X509 extension using its own parsing routines. It then calls the OpenSSL
function OCSP_parse_url with the resulting url. The certificate did not contain
an OCSP access entry in its Authority Information Access (AIA) extension. It
only contained a CA-Issuers access entry. SafeLogic suspected that for this
case Tomcat is passing a NULL url to OCSP_parse_url(), which would result in
the above openssl error. The AIA entry in the certificate is as follows:
Authority Information Access:
CA Issuers –
URI:http://wxyz-dc-01.wxyz.local/pki/WXYZ-DC-01.WXYZ.local_IssuingCA.crt
We compiled libtcnative with OCSP disabled and the customer was able to log
into the system in question.
Software Versions:
------------------------
Tomcat 8.5.30
libtcnative-1_1.2.16F with APR FIPS-140 support
openssl 1.0.2n
Java 1.8.0_131
Ubuntu 16.04
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
