SSLHeaderHandler mishandles empty or non-base64 SSL_SESSION_ID header
Issue
- We have a proxy in front of JBoss terminating HTTPS. It is set up to forward ssl info and SSLHeaderHandler is enabled on JBoss to intercept these headers. If the SSL_SESSION_ID is not present, SSLHeaderHandler appears to do nothing.
- If SSL_SESSION_ID is not a base64 encoded value, SSLHeaderHandler hits a RuntimeException that fails the request:
java.lang.RuntimeException: java.io.IOException: Invalid base64 character encountered: 40
at io.undertow.server.BasicSSLSessionInfo.base64Decode(BasicSSLSessionInfo.java:136)
at io.undertow.server.BasicSSLSessionInfo.<init>(BasicSSLSessionInfo.java:84)
at io.undertow.server.handlers.SSLHeaderHandler.handleRequest(SSLHeaderHandler.java:98)
at io.undertow.predicate.PredicatesHandler.handleRequest(PredicatesHandler.java:93)
at org.wildfly.extension.undertow.Host$HostRootHandler.handleRequest(Host.java:293)
at io.undertow.server.handlers.NameVirtualHostHandler.handleRequest(NameVirtualHostHandler.java:64)
at io.undertow.server.handlers.error.SimpleErrorPageHandler.handleRequest(SimpleErrorPageHandler.java:76)
at io.undertow.server.handlers.CanonicalPathHandler.handleRequest(CanonicalPathHandler.java:49)
at io.undertow.server.handlers.ChannelUpgradeHandler.handleRequest(ChannelUpgradeHandler.java:158)
at io.undertow.server.handlers.DisallowedMethodsHandler.handleRequest(DisallowedMethodsHandler.java:61)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:233)
at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:131)
at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:57)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1122)
at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:166)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:464)
Caused by: java.io.IOException: Invalid base64 character encountered: 40
at io.undertow.util.FlexBase64$Decoder.nextByte(FlexBase64.java:1039)
at io.undertow.util.FlexBase64$Decoder.nextByte(FlexBase64.java:1013)
at io.undertow.util.FlexBase64$Decoder.decode(FlexBase64.java:1240)
at io.undertow.util.FlexBase64$Decoder.decode(FlexBase64.java:1345)
at io.undertow.util.FlexBase64$Decoder.decode(FlexBase64.java:1411)
at io.undertow.util.FlexBase64$Decoder.access$500(FlexBase64.java:981)
at io.undertow.util.FlexBase64.decode(FlexBase64.java:305)
at io.undertow.server.BasicSSLSessionInfo.base64Decode(BasicSSLSessionInfo.java:126)
... 19 more
- httpd/mod_ssl sets the SSL_SESSION_ID to
(null)if one is not present and a SSL_SESSION_ID would not always be expected, especially in the first request as in SSL_SESSION_ID does not appear HTTP header in first access. So the SSLHeaderHandler implementation appears to be incorrect.
Environment
- JBoss Enterprise Application Platform (EAP) 7.0.x
- Undertow
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
