When we run performance tests of Weblogic running on Hotspot 7 and attempt to open multiple SSL clients to the server at the same time, the server generates this exception:
<Mar 12, 2012 1:58:13 PM PDT> <Error> <HTTP> <BEA-101083> <Connection failure.
java.lang.NullPointerException
at sun.security.ssl.SSLEngineImpl.getSupportedCipherSuites(SSLEngineImpl.java:1992)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.getSupportedCipherSuites(JaSSLEngine.java:220)
at weblogic.socket.JSSESocket.getSupportedCipherSuites(JSSESocket.java:115)
at weblogic.servlet.provider.WlsSecurityProvider.getSSLAttributes(WlsSecurityProvider.java:198)
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(VirtualConnection.java:163)
The problem is that all SSL engine objects are constructed with the same, default SSL context (from SSLContext.getDefaultInstance()). So we have multiple engines (in multiple threads) executing this code:
return sslContext.getSuportedCipherSuiteList().toStringArray();
With the default sslcontext, that code is not threadsafe:
clearAvailableCache(); // sets supportedCipherSuiteList to null
if (supportedCipherSuiteList == null) {
supportedCipherSuiteList =
getApplicableCipherSuiteList(getSuportedProtocolList(), false);
}
return supportedCipherSuiteList;
So Thread A comes in, tests if the suite list is null; it is not so thread A continues. Now Thread B calls clearAvailableCache() and sets supportedCipherSuiteList to null. Thread A then returns the null variable.