[JBoss JIRA] (WFLY-10812) Some security tests fail on closed channel exception
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/WFLY-10812?page=com.atlassian.jira.plugin... ]
Jan Kalina commented on WFLY-10812:
-----------------------------------
UndertowTwoWaySslNeedClientAuthTestCase: issue similar to WFCORE-3171 - SSLException is ok
> Some security tests fail on closed channel exception
> ----------------------------------------------------
>
> Key: WFLY-10812
> URL: https://issues.jboss.org/browse/WFLY-10812
> Project: WildFly
> Issue Type: Bug
> Components: Test Suite
> Reporter: Richard Opalka
> Assignee: Jan Kalina
> Priority: Blocker
> Fix For: 14.0.0.CR1
>
>
> With latest JDK11 (build 11-ea+25) the following tests fail due to closed channel exception: modified:
> * testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/LdapExtLikeAdvancedLdapLMTestCase.java
> * testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/LdapExtLoginModuleTestCase.java
> * testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/LdapLoginModuleTestCase.java
> * testsuite/integration/elytron/src/test/java/org/wildfly/test/integration/elytron/ssl/UndertowTwoWaySslNeedClientAuthTestCase.java
> * testsuite/integration/iiop/src/test/java/org/jboss/as/test/iiopssl/basic/IIOPSslInvocationTestCase.java
> * testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/security/OutboundLdapConnectionClientCertTestCase.java
> * testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/security/OutboundLdapConnectionTestCase.java
> * testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/web/ssl/CertificateRolesLoginModuleTestCase.java
> * testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/web/ssl/DatabaseCertLoginModuleTestCase.java
> * testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/web/ssl/HTTPSWebConnectorTestCase.java
> * testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java
> Is there a known SSL issue in JDK11? Could somebody from our security team investigate this issue?
> When these tests will start passing WF test suite will be passing 100% of tests on JDK11.
> Potential investigator from our security team may want to include this PR:
> https://github.com/wildfly/wildfly/pull/11499
> to fix known JDK11 issues.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFWIP-12) [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
by Martyn Taylor (JIRA)
[ https://issues.jboss.org/browse/WFWIP-12?page=com.atlassian.jira.plugin.s... ]
Martyn Taylor resolved WFWIP-12.
--------------------------------
Resolution: Done
> [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
> -------------------------------------------------------------------------------------------
>
> Key: WFWIP-12
> URL: https://issues.jboss.org/browse/WFWIP-12
> Project: WildFly WIP
> Issue Type: Bug
> Components: Artemis
> Reporter: Martin Styk
> Assignee: Jeff Mesnil
> Priority: Blocker
> Labels: activemq, feature-branch-blocker
> Original Estimate: 2 hours
> Time Spent: 2 hours
> Remaining Estimate: 0 minutes
>
> Output of CLI operations in messaging subsystem's server element changed and it is is missing some attributes it used to display in EAP 7.1.
> _Affected operations_
> *list-all-consumers-as-json* and *list-consumers-as-json*
> Missing attributes
> * destinationName
> * destinationType
> * durable
> {noformat:title="7.1.0.GA"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"-733935378\",\"sessionID\":\"fede1b60-04e9-11e8-9641-cc3d825a3be2\",\"queueName\":\"testSubscriberClientId-hornetqCliOperations.testSubscriber-hqServerCliOperations\",\"browseOnly\":false,\"creationTime\":1517226368495,\"destinationName\":\"testTopic\",\"destinationType\":\"topic\",\"durable\":true}]"}
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"784f1287\",\"sessionID\":\"f146b48e-04e3-11e8-bb50-cc3d825a3be2\",\"queueName\":\"jms.queue.testQueue\",\"browseOnly\":false,\"creationTime\":1517223768695,\"deliveringCount\":8}]"}
> {noformat}
> *list-connections-as-json*
> Missing attributes
> * clientID
> {noformat:title="7.1.0.GA"}
> "result" => "[{\"connectionID\":\"1343044951\",\"clientAddress\":\"/127.0.0.1:57038\",\"creationTime\":1517303830995,\"clientID\":\"testSubscriberClientId-hornetqCliOperations\"},{\"connectionID\":\"2052915500\",\"clientAddress\":\"/127.0.0.1:57040\",\"creationTime\":1517303831216},{\"connectionID\":\"668896556\",\"clientAddress\":\"/127.0.0.1:57042\",\"creationTime\":1517303831210},{\"connectionID\":\"2096792561\",\"clientAddress\":\"/127.0.0.1:57044\",\"creationTime\":1517303831223,\"clientID\":\"testPublisherClientId\"}]"
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> "result" => "[{\"connectionID\":\"a8842f44\",\"clientAddress\":\"/127.0.0.1:55938\",\"creationTime\":1517298838294,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"c515bc06\",\"clientAddress\":\"/127.0.0.1:55936\",\"creationTime\":1517298837454,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"b9a9153f-0592-11e8-80ff-54ee7547c83e\",\"clientAddress\":\"invm:0\",\"creationTime\":1517298837312,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"fe42578a\",\"clientAddress\":\"/127.0.0.1:55944\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"cde89186\",\"clientAddress\":\"/127.0.0.1:55940\",\"creationTime\":1517298838493,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"480099e7\",\"clientAddress\":\"/127.0.0.1:55942\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2}]"
> {noformat}
> This is compatibility issue, as some scripts may depend on missing attributes. Customer's tooling which used to work with 7.1 may not work now.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFWIP-12) [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
by Martyn Taylor (JIRA)
[ https://issues.jboss.org/browse/WFWIP-12?page=com.atlassian.jira.plugin.s... ]
Martyn Taylor commented on WFWIP-12:
------------------------------------
[~jmesnil] [~jbertram] [~mnovak] The upstream PR has been merged. I am closing this as resolved.
> [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
> -------------------------------------------------------------------------------------------
>
> Key: WFWIP-12
> URL: https://issues.jboss.org/browse/WFWIP-12
> Project: WildFly WIP
> Issue Type: Bug
> Components: Artemis
> Reporter: Martin Styk
> Assignee: Jeff Mesnil
> Priority: Blocker
> Labels: activemq, feature-branch-blocker
> Original Estimate: 2 hours
> Time Spent: 2 hours
> Remaining Estimate: 0 minutes
>
> Output of CLI operations in messaging subsystem's server element changed and it is is missing some attributes it used to display in EAP 7.1.
> _Affected operations_
> *list-all-consumers-as-json* and *list-consumers-as-json*
> Missing attributes
> * destinationName
> * destinationType
> * durable
> {noformat:title="7.1.0.GA"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"-733935378\",\"sessionID\":\"fede1b60-04e9-11e8-9641-cc3d825a3be2\",\"queueName\":\"testSubscriberClientId-hornetqCliOperations.testSubscriber-hqServerCliOperations\",\"browseOnly\":false,\"creationTime\":1517226368495,\"destinationName\":\"testTopic\",\"destinationType\":\"topic\",\"durable\":true}]"}
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"784f1287\",\"sessionID\":\"f146b48e-04e3-11e8-bb50-cc3d825a3be2\",\"queueName\":\"jms.queue.testQueue\",\"browseOnly\":false,\"creationTime\":1517223768695,\"deliveringCount\":8}]"}
> {noformat}
> *list-connections-as-json*
> Missing attributes
> * clientID
> {noformat:title="7.1.0.GA"}
> "result" => "[{\"connectionID\":\"1343044951\",\"clientAddress\":\"/127.0.0.1:57038\",\"creationTime\":1517303830995,\"clientID\":\"testSubscriberClientId-hornetqCliOperations\"},{\"connectionID\":\"2052915500\",\"clientAddress\":\"/127.0.0.1:57040\",\"creationTime\":1517303831216},{\"connectionID\":\"668896556\",\"clientAddress\":\"/127.0.0.1:57042\",\"creationTime\":1517303831210},{\"connectionID\":\"2096792561\",\"clientAddress\":\"/127.0.0.1:57044\",\"creationTime\":1517303831223,\"clientID\":\"testPublisherClientId\"}]"
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> "result" => "[{\"connectionID\":\"a8842f44\",\"clientAddress\":\"/127.0.0.1:55938\",\"creationTime\":1517298838294,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"c515bc06\",\"clientAddress\":\"/127.0.0.1:55936\",\"creationTime\":1517298837454,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"b9a9153f-0592-11e8-80ff-54ee7547c83e\",\"clientAddress\":\"invm:0\",\"creationTime\":1517298837312,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"fe42578a\",\"clientAddress\":\"/127.0.0.1:55944\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"cde89186\",\"clientAddress\":\"/127.0.0.1:55940\",\"creationTime\":1517298838493,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"480099e7\",\"clientAddress\":\"/127.0.0.1:55942\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2}]"
> {noformat}
> This is compatibility issue, as some scripts may depend on missing attributes. Customer's tooling which used to work with 7.1 may not work now.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFLY-10795) Non-Elytron SSL configuration won't establish secure channel between worker and balancer
by Radoslav Husar (JIRA)
[ https://issues.jboss.org/browse/WFLY-10795?page=com.atlassian.jira.plugin... ]
Radoslav Husar commented on WFLY-10795:
---------------------------------------
Can you post steps to reproduce and confirm this is still a regression?
> Non-Elytron SSL configuration won't establish secure channel between worker and balancer
> ----------------------------------------------------------------------------------------
>
> Key: WFLY-10795
> URL: https://issues.jboss.org/browse/WFLY-10795
> Project: WildFly
> Issue Type: Bug
> Components: mod_cluster
> Affects Versions: No Release
> Environment: Latest snapshot from ci.wildfly.org
> Reporter: Jan Kašík
> Assignee: Radoslav Husar
> Priority: Blocker
> Fix For: 14.0.0.CR1
>
> Attachments: confs.zip
>
>
> When running scenario, where connection between worker and balancer is secured with SSL, worker fails to register on balancer.
> Worker obviously tries to send INFO commands, though it sends it as a 'plain text' to a secured channel.
> I enabled SSL debugging, and such unsecured-secured communication causes this error:
> {code}
> 09:42:20,456 INFO [stdout] (default I/O-4) Using SSLEngineImpl.
> 09:42:20,458 INFO [stdout] (default I/O-4) Allow unsafe renegotiation: false
> 09:42:20,458 INFO [stdout] (default I/O-4) Allow legacy hello messages: true
> 09:42:20,458 INFO [stdout] (default I/O-4) Is initial handshake: true
> 09:42:20,459 INFO [stdout] (default I/O-4) Is secure renegotiation: false
> 09:42:20,459 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 09:42:20,479 INFO [stdout] (default I/O-4) default I/O-4, fatal error: 80: problem unwrapping net record
> 09:42:20,480 INFO [stdout] (default I/O-4) javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT: fatal, description = internal_error
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length = 2
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, called closeInbound()
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, called closeOutbound()
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()
> {code}
> What bothers me, that there are no other errors (bad certificate, CLI error...) in log regarding this. Apart from:
> {code}
> 09:45:42,653 WARN [org.infinispan.topology.ClusterTopologyManagerImpl] (transport-thread--p14-t16) ISPN000197: Error updating cluster member list: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 6 from wildfly-14.0.0.Beta2-SNAPSHOT-2
> at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
> at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
> at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Suppressed: org.infinispan.util.logging.TraceException
> at org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
> at org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
> at org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
> at org.infinispan.topology.ClusterTopologyManagerImpl.handleClusterView(ClusterTopologyManagerImpl.java:321)
> at org.infinispan.topology.ClusterTopologyManagerImpl.access$500(ClusterTopologyManagerImpl.java:87)
> at org.infinispan.topology.ClusterTopologyManagerImpl$ClusterViewListener.lambda$handleViewChange$0(ClusterTopologyManagerImpl.java:731)
> at org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175)
> at org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37)
> at org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47)
> ... 1 more
> {code}
> Configuration using non-Elytron configuration was possible before, hence this is a regression.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFLY-10795) Non-Elytron SSL configuration won't establish secure channel between worker and balancer
by Jan Kašík (JIRA)
[ https://issues.jboss.org/browse/WFLY-10795?page=com.atlassian.jira.plugin... ]
Jan Kašík edited comment on WFLY-10795 at 8/13/18 6:12 AM:
-----------------------------------------------------------
[~rhusar] Thanks for he quick PR! I did some prestesting which didn't go well. During reload which follows adding security realm and its configuration (authentication and server identity), following exception shows up:
{code}
08:42:17,822 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 58) WFLYCTL0013: Operation ("add") failed - address: ([("subsystem" => "modcluster")]): java.lang.IllegalStateException: java.io.IOException: Keystore was tampered with, or password was incorrect
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:113)
at org.wildfly.extension.mod_cluster.ProxyConfigurationServiceConfigurator.configure(ProxyConfigurationServiceConfigurator.java:315)
at org.wildfly.extension.mod_cluster.ModClusterSubsystemServiceHandler.installServices(ModClusterSubsystemServiceHandler.java:79)
at org.jboss.as.clustering.controller.AddStepHandler.performRuntime(AddStepHandler.java:179)
at org.jboss.as.controller.AbstractAddStepHandler.performRuntime(AbstractAddStepHandler.java:338)
at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:159)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:384)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getStore(JSSESocketFactory.java:230)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeystore(JSSESocketFactory.java:179)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:251)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:98)
... 15 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 23 more
{code}
Again, everything works with same configuration in 7.1.
EDIT: Just came to my mind, that this might not be related...
was (Author: jkasik):
[~rhusar] Tanks for he quick PR! I did some prestesting which didn't go well. During reload which follows adding security realm and its configuration (authentication and server identity), following exception shows up:
{code}
08:42:17,822 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 58) WFLYCTL0013: Operation ("add") failed - address: ([("subsystem" => "modcluster")]): java.lang.IllegalStateException: java.io.IOException: Keystore was tampered with, or password was incorrect
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:113)
at org.wildfly.extension.mod_cluster.ProxyConfigurationServiceConfigurator.configure(ProxyConfigurationServiceConfigurator.java:315)
at org.wildfly.extension.mod_cluster.ModClusterSubsystemServiceHandler.installServices(ModClusterSubsystemServiceHandler.java:79)
at org.jboss.as.clustering.controller.AddStepHandler.performRuntime(AddStepHandler.java:179)
at org.jboss.as.controller.AbstractAddStepHandler.performRuntime(AbstractAddStepHandler.java:338)
at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:159)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:384)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getStore(JSSESocketFactory.java:230)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeystore(JSSESocketFactory.java:179)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:251)
at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.<init>(JSSESocketFactory.java:98)
... 15 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 23 more
{code}
Again, everything works with same configuration in 7.1.
EDIT: Just came to my mind, that this might not be related...
> Non-Elytron SSL configuration won't establish secure channel between worker and balancer
> ----------------------------------------------------------------------------------------
>
> Key: WFLY-10795
> URL: https://issues.jboss.org/browse/WFLY-10795
> Project: WildFly
> Issue Type: Bug
> Components: mod_cluster
> Affects Versions: No Release
> Environment: Latest snapshot from ci.wildfly.org
> Reporter: Jan Kašík
> Assignee: Radoslav Husar
> Priority: Blocker
> Fix For: 14.0.0.CR1
>
> Attachments: confs.zip
>
>
> When running scenario, where connection between worker and balancer is secured with SSL, worker fails to register on balancer.
> Worker obviously tries to send INFO commands, though it sends it as a 'plain text' to a secured channel.
> I enabled SSL debugging, and such unsecured-secured communication causes this error:
> {code}
> 09:42:20,456 INFO [stdout] (default I/O-4) Using SSLEngineImpl.
> 09:42:20,458 INFO [stdout] (default I/O-4) Allow unsafe renegotiation: false
> 09:42:20,458 INFO [stdout] (default I/O-4) Allow legacy hello messages: true
> 09:42:20,458 INFO [stdout] (default I/O-4) Is initial handshake: true
> 09:42:20,459 INFO [stdout] (default I/O-4) Is secure renegotiation: false
> 09:42:20,459 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 09:42:20,460 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 09:42:20,461 INFO [stdout] (default I/O-4) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 09:42:20,479 INFO [stdout] (default I/O-4) default I/O-4, fatal error: 80: problem unwrapping net record
> 09:42:20,480 INFO [stdout] (default I/O-4) javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT: fatal, description = internal_error
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length = 2
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, called closeInbound()
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, called closeOutbound()
> 09:42:20,480 INFO [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()
> {code}
> What bothers me, that there are no other errors (bad certificate, CLI error...) in log regarding this. Apart from:
> {code}
> 09:45:42,653 WARN [org.infinispan.topology.ClusterTopologyManagerImpl] (transport-thread--p14-t16) ISPN000197: Error updating cluster member list: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 6 from wildfly-14.0.0.Beta2-SNAPSHOT-2
> at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
> at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
> at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Suppressed: org.infinispan.util.logging.TraceException
> at org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
> at org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
> at org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
> at org.infinispan.topology.ClusterTopologyManagerImpl.handleClusterView(ClusterTopologyManagerImpl.java:321)
> at org.infinispan.topology.ClusterTopologyManagerImpl.access$500(ClusterTopologyManagerImpl.java:87)
> at org.infinispan.topology.ClusterTopologyManagerImpl$ClusterViewListener.lambda$handleViewChange$0(ClusterTopologyManagerImpl.java:731)
> at org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175)
> at org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37)
> at org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47)
> ... 1 more
> {code}
> Configuration using non-Elytron configuration was possible before, hence this is a regression.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months