Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.2.5
-
bctls-jdk15on-1.59
-
Unknown
Description
We are going to replace the default (Sun) JSSE provider with the one from BouncyCastle and are running into a NullPointerException when getting the SSLSessionContext from the SSLContext.
The problem occurs in
org.apache.cxf.transport.https.SSLUtils.getSSLContext(TLSParameterBase):73
when trying to set the timeout for the SSL session.
The javadoc of
javax.net.ssl.SSLContext.getClientSessionContext()
states that "[the client session context] may be unavailable in some environments, in which case this method returns null. [...]"
Apparently, this is (in general) not the case for the SunJSSE provider, but the BCJSSE provider needs the SSLContext to be initialized before the client session context is available. So after the call of
javax.net.ssl.SSLContext.init(KeyManager[], TrustManager[], SecureRandom)
which happens further below (line 87), the client session context is not null any more, but it's too late, obviously.
For the BCJSSE provider, setting the session timeout musst happen after the init() of the SSLContext. But a general handling in case of {{getClientSessionContext()}}returning null wouldn't hurt either.