[GEODE-7157] SSLConfigurationFactory and SSLConfig are NOT Thread-safe! - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.12.0
Component/s: configuration, core, security
Labels:
- affects-spring

Description

SSLConfig is a "shared" object (if you carefully analyze the SSLConfigurationFactory class) and needs to be Thread-safe!!

SSLConfigurationFactory does NOT properly guard all access points to the (once again) "shared" registeredSSLConfig Map instance. Furthermore, this class also uses an non-Thread-safe Map implementation for registeredSSLConfig, i.e. HashMap, to "cache" SSLConfig objects, which is "safe" iff "all" access to this "shared" registeredSSLConfig Map instance is "synchronized", which it isn't (!!) ... e.g. SSLConfigurationFactory.close(), which subsequently calls clearSSLConfigForAllComponents(), which "clears" the registeredSSLConfig Map. Because it is not properly protected, it is possible to see stale state, especially between tests!!!

Attachments

Issue Links

links to

GitHub Pull Request #4204

GitHub Pull Request #4283

GitHub Pull Request #4285

Activity

People

Assignee:: Ernest Burghardt

Reporter:: John Blum

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/Sep/19 00:00

Updated:: 30/Mar/20 23:33

Resolved:: 06/Nov/19 18:43

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

4h 10m