Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
None
Description
SSLConfig is a "shared" object (if you carefully analyze the SSLConfigurationFactory class) and needs to be Thread-safe!!
SSLConfigurationFactory does NOT properly guard all access points to the (once again) "shared" registeredSSLConfig Map instance. Furthermore, this class also uses an non-Thread-safe Map implementation for registeredSSLConfig, i.e. HashMap, to "cache" SSLConfig objects, which is "safe" iff "all" access to this "shared" registeredSSLConfig Map instance is "synchronized", which it isn't (!!) ... e.g. SSLConfigurationFactory.close(), which subsequently calls clearSSLConfigForAllComponents(), which "clears" the registeredSSLConfig Map. Because it is not properly protected, it is possible to see stale state, especially between tests!!!