[
https://issues.redhat.com/browse/WFWIP-335?page=com.atlassian.jira.plugin...
]
Farah Juma commented on WFWIP-335:
----------------------------------
[~jstourac] Thanks very much for the detailed information. The comparison failure is due
to a bug in OpenSSL 1.1.1c that prevents the enabled TLS 1.3 cipher suites from being set
properly when no pre-TLSv1.3 cipher suites have been specified. The bug was fixed in
OpenSSL 1.1.1d
(
see [https://github.com/openssl/openssl/commit/432717135c3f42adc74e0fde49...).
I've updated {{SslCiphersTest.testAvailableProtocolsWithTLS13CipherSuites}} so that a
pre-TLSv1.3 cipher suite is also configured and the test now passes. With this test fix, I
also don't see the different failure that you hit with JDK 11.0.4.
For WildFly, even when only TLS 1.3 cipher suites are configured by the user, we still set
the pre-TLSv1.3 cipher suites to the default value. This means that WildFly isn't
affected by this bug when running against OpenSSL 1.1.1c (I verified that the
{{TlsTestCase}} from WildFly Core does pass with OpenSSL 1.1.1c).
I think we can resolve this WFWIP issue. WDYT?
Test SslCiphersTest.testAvailableProtocolsWithTLS13CipherSuites fails
on RHEL8
------------------------------------------------------------------------------
Key: WFWIP-335
URL:
https://issues.redhat.com/browse/WFWIP-335
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Jan Stourac
Assignee: Farah Juma
Priority: Major
There is failing a new test directly in your PR for 'wildfly-openssl' project -
[
org.wildfly.openssl.SslCiphersTest.testAvailableProtocolsWithTLS13CipherS...].
I encountered this failure on RHEL8 with OpenSSL 1.1.1c installed:
{code:title=ComparisonFailure}
testAvailableProtocolsWithTLS13CipherSuites(org.wildfly.openssl.SslCiphersTest) Time
elapsed: 0.112 sec <<< FAILURE!
org.junit.ComparisonFailure: expected:<TLS_[AES_256_GCM_SHA384]> but
was:<TLS_[CHACHA20_POLY1305_SHA256]>
at org.junit.Assert.assertEquals(Assert.java:123)
at org.junit.Assert.assertEquals(Assert.java:145)
at
org.wildfly.openssl.SslCiphersTest.testAvailableProtocolsWithTLS13CipherSuites(SslCiphersTest.java:170)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
at
org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)
at
org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)
at
org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)
at
org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
{code}
After some investigation, it looks like this failure is tied with this version of OpenSSL
and does not occur with newer 1.1.1g version. I also saw another failure with combination
of OpenJDK 11.0.4 and OpenSSL 1.1.1c:
{code:title=different failure - API incompatibility?}
testAvailableProtocolsWithTLS13CipherSuites(org.wildfly.openssl.SslCiphersTest) Time
elapsed: 0.031 sec <<< ERROR!
javax.net.ssl.SSLException: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong
tag
at org.wildfly.openssl.OpenSSLEngine.handshake(OpenSSLEngine.java:1129)
at org.wildfly.openssl.OpenSSLEngine.beginHandshakeImplicitly(OpenSSLEngine.java:1071)
at org.wildfly.openssl.OpenSSLEngine.wrap(OpenSSLEngine.java:435)
at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:479)
at org.wildfly.openssl.OpenSSLSocket.runHandshake(OpenSSLSocket.java:305)
at org.wildfly.openssl.OpenSSLSocket.write(OpenSSLSocket.java:509)
at org.wildfly.openssl.OpenSSLSocket.write(OpenSSLSocket.java:555)
at org.wildfly.openssl.OpenSSLOutputStream.write(OpenSSLOutputStream.java:51)
at
org.wildfly.openssl.SslCiphersTest.testAvailableProtocolsWithTLS13CipherSuites(SslCiphersTest.java:159)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:44)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:15)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:41)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:20)
at
org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4ClassRunner.java:79)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:71)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:49)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:28)
at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:264)
at
org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:124)
at
org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:200)
at
org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:153)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
{code}
Here is a summary, see:
{quote}
OpenJDK 11.0.4 + OpenSSL 1.1.1c = fail - different failure - some API incompatibilty???
OpenJDK 11.0.4 + OpenSSL 1.1.1g = pass
OpenJDK 11.0.6 + OpenSSL 1.1.1c = ComparisonFailure as mentioned above
OpenJDK 11.0.6 + OpenSSL 1.1.1g = pass
OpenJDK 11.0.8 + OpenSSL 1.1.1c = ComparisonFailure as mentioned above
OpenJDK 11.0.8 + OpenSSL 1.1.1g = pass
{quote}
Basically means that newer OpenSSL works okay. Although, this may still be problem for
customers of RHEL8 until OpenSSL there is not updated.
Not sure whether this test failure may have any real bad effect on customers, still I
wanted to point this out here
--
This message was sent by Atlassian Jira
(v7.13.8#713008)