SSLHeaderHandler mishandles empty or non-base64 SSL_SESSION_ID header

Solution Unverified - Updated -

Issue

  • We have a proxy in front of JBoss terminating HTTPS. It is set up to forward ssl info and SSLHeaderHandler is enabled on JBoss to intercept these headers. If the SSL_SESSION_ID is not present, SSLHeaderHandler appears to do nothing.
  • If SSL_SESSION_ID is not a base64 encoded value, SSLHeaderHandler hits a RuntimeException that fails the request:
java.lang.RuntimeException: java.io.IOException: Invalid base64 character encountered: 40
        at io.undertow.server.BasicSSLSessionInfo.base64Decode(BasicSSLSessionInfo.java:136)
        at io.undertow.server.BasicSSLSessionInfo.<init>(BasicSSLSessionInfo.java:84)
        at io.undertow.server.handlers.SSLHeaderHandler.handleRequest(SSLHeaderHandler.java:98)
        at io.undertow.predicate.PredicatesHandler.handleRequest(PredicatesHandler.java:93)
        at org.wildfly.extension.undertow.Host$HostRootHandler.handleRequest(Host.java:293)
        at io.undertow.server.handlers.NameVirtualHostHandler.handleRequest(NameVirtualHostHandler.java:64)
        at io.undertow.server.handlers.error.SimpleErrorPageHandler.handleRequest(SimpleErrorPageHandler.java:76)
        at io.undertow.server.handlers.CanonicalPathHandler.handleRequest(CanonicalPathHandler.java:49)
        at io.undertow.server.handlers.ChannelUpgradeHandler.handleRequest(ChannelUpgradeHandler.java:158)
        at io.undertow.server.handlers.DisallowedMethodsHandler.handleRequest(DisallowedMethodsHandler.java:61)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:233)
        at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:131)
        at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:57)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1122)
        at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:166)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
Caused by: java.io.IOException: Invalid base64 character encountered: 40
        at io.undertow.util.FlexBase64$Decoder.nextByte(FlexBase64.java:1039)
        at io.undertow.util.FlexBase64$Decoder.nextByte(FlexBase64.java:1013)
        at io.undertow.util.FlexBase64$Decoder.decode(FlexBase64.java:1240)
        at io.undertow.util.FlexBase64$Decoder.decode(FlexBase64.java:1345)
        at io.undertow.util.FlexBase64$Decoder.decode(FlexBase64.java:1411)
        at io.undertow.util.FlexBase64$Decoder.access$500(FlexBase64.java:981)
        at io.undertow.util.FlexBase64.decode(FlexBase64.java:305)
        at io.undertow.server.BasicSSLSessionInfo.base64Decode(BasicSSLSessionInfo.java:126)
        ... 19 more

Environment

  • JBoss Enterprise Application Platform (EAP) 7.0.x
  • Undertow

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.