[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-554) JVM segfault: mod_cluster subsystem cannot handle wildfly-openssl integration

Michal Karm Babacek (JIRA) issues at jboss.org
Tue Nov 29 12:51:01 EST 2016 

     [ https://issues.jboss.org/browse/MODCLUSTER-554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michal Karm Babacek updated MODCLUSTER-554:
-------------------------------------------
    Component/s: Core & Container Integration (Java)


> JVM segfault: mod_cluster subsystem cannot handle wildfly-openssl integration
> -----------------------------------------------------------------------------
>
>                 Key: MODCLUSTER-554
>                 URL: https://issues.jboss.org/browse/MODCLUSTER-554
>             Project: mod_cluster
>          Issue Type: Bug
>          Components: Core & Container Integration (Java)
>    Affects Versions: 1.3.5.Final
>            Reporter: Michal Karm Babacek
>            Assignee: Stuart Douglas
>            Priority: Critical
>
> h3. Preface
> mod_cluster subsystem doesn't use Security Realms, unfortunately, so one must replicate SSL configuration both in security realms and in mod_cluster subsystem.
> Apparently, there is a confusion about setting protocol and cipher suite in integration between mod_cluster subsystem and wildfly-openssl:
> {noformat}
> at org.wildfly.openssl.OpenSSLEngine.setEnabledProtocols(OpenSSLEngine.java:754)
>     at org.wildfly.openssl.OpenSSLSocket.setEnabledCipherSuites(OpenSSLSocket.java:204)
>     at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.initSocket(JSSESocketFactory.java:384)
>     at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.createSocket(JSSESocketFactory.java:124)
> {noformat}
> h3. Configuration
> {code}
> <security-realm name="JBossTestServer">
>     <server-identities>
>         <ssl protocol="openssl.TLS">
>             <engine enabled-cipher-suites="TLS_RSA_WITH_AES_128_GCM_SHA256"/>
>             <keystore provider="JKS" path="/opt/noe-tests/resources/ssl/proper/server-cert-key.jks" keystore-password="tomcat" alias="javaserver"/>
>         </ssl>
>     </server-identities>
>     <authentication>
>         <truststore path="/opt/noe-tests/resources/ssl/proper/ca-cert.jks" keystore-password="tomcat"/>
>     </authentication>
> </security-realm>
> <subsystem xmlns="urn:jboss:domain:modcluster:2.0">
>     <mod-cluster-config advertise-socket="modcluster" connector="https">
>         <dynamic-load-provider>
>             <load-metric type="cpu"/>
>         </dynamic-load-provider>
>         <ssl key-alias="javaclient" password="tomcat" certificate-key-file="/opt/noe-tests/resources/ssl/proper/client-cert-key.jks" cipher-suite="TLS_RSA_WITH_AES_128_GCM_SHA256" protocol="openssl.TLS" ca-certificate-file="/opt/noe-tests/resources/ssl/proper/ca-cert.jks"/>
>     </mod-cluster-config>
> </subsystem>
> [org.wildfly.openssl.SSL] OpenSSL Version OpenSSL 1.0.2h-fips  3 May 2016
> {code}
> h3. JVM segfault
> Java Stackstrace on MCMP handler registration: [OpenSSLEngine.java:L754|https://github.com/wildfly/wildfly-openssl/blob/1.0.0.Alpha4/java/src/main/java/org/wildfly/openssl/OpenSSLEngine.java#L754]
> {noformat}
> 12:01:02,249 ERROR [org.jboss.mod_cluster.undertow] (UndertowEventHandlerAdapter - 1) Unsupported protocol TLS_RSA_WITH_AES_128_GCM_SHA256: java.lang.IllegalArgumentException: Unsupported protocol TLS_RSA_WITH_AES_128_GCM_SHA256
>     at org.wildfly.openssl.OpenSSLEngine.setEnabledProtocols(OpenSSLEngine.java:754)
>     at org.wildfly.openssl.OpenSSLSocket.setEnabledCipherSuites(OpenSSLSocket.java:204)
>     at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.initSocket(JSSESocketFactory.java:384)
>     at org.jboss.modcluster.mcmp.impl.JSSESocketFactory.createSocket(JSSESocketFactory.java:124)
>     at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler$Proxy.getConnection(DefaultMCMPHandler.java:850)
>     at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler$Proxy.getConnectionWriter(DefaultMCMPHandler.java:886)
>     at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.sendRequest(DefaultMCMPHandler.java:514)
>     at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.sendRequest(DefaultMCMPHandler.java:605)
>     at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:387)
>     at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:365)
>     at org.jboss.modcluster.ModClusterService.status(ModClusterService.java:454)
>     at org.wildfly.mod_cluster.undertow.UndertowEventHandlerAdapter.run(UndertowEventHandlerAdapter.java:179)
>     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>     at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
>     at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>     at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>     at java.lang.Thread.run(Thread.java:745)
>     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> {noformat}causes JVM segfault: {noformat}#
> # A fatal error has been detected by the Java Runtime Environment:
> #
> #  SIGSEGV (0xb) at pc=0x00007fd40e7798c5, pid=29489, tid=0x00007fd44f7f7700
> #{noformat}
> Java and Native stacktrace: for a call from Java [byte\[\] getSessionId0(long ssl)|https://github.com/wildfly/wildfly-openssl/blob/1.0.0.Alpha4/java/src/main/java/org/wildfly/openssl/SSLImpl.java#L474] to C [getting session from underlying OpenSSL integration fails|https://github.com/wildfly/wildfly-openssl/blob/1.0.0.Alpha4/libwfssl/src/session.c#L171]{noformat}Stack: [0x00007fd44f6f7000,0x00007fd44f7f8000],  sp=0x00007fd44f7f6358,  free space=1020k
> Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
> C  [libssl.so+0x478c5]  SSL_SESSION_get_id+0x5
> C  [libwfssl.so+0x4a0b]  Java_org_wildfly_openssl_SSLImpl_getSessionId0+0x6b
> j  org.wildfly.openssl.SSLImpl.getSessionId0(J)[B+0
> j  org.wildfly.openssl.SSLImpl.getSessionId(J)[B+1
> j  org.wildfly.openssl.OpenSSLEngine.shutdown()V+42
> j  org.wildfly.openssl.OpenSSLEngine.finalize()V+5
> J 1218 C1 java.lang.ref.Finalizer.runFinalizer(Lsun/misc/JavaLangAccess;)V (62 bytes) @ 0x00007fd4593dbf84 [0x00007fd4593dba00+0x584]
> J 1217 C1 java.lang.ref.Finalizer.access$100(Ljava/lang/ref/Finalizer;Lsun/misc/JavaLangAccess;)V (6 bytes) @ 0x00007fd4593db69c [0x00007fd4593db640+0x5c]
> j  java.lang.ref.Finalizer$FinalizerThread.run()V+45
> v  ~StubRoutines::call_stub
> V  [libjvm.so+0x657fbb]
> V  [libjvm.so+0x6593b7]
> V  [libjvm.so+0x659877]
> V  [libjvm.so+0x6a9371]
> V  [libjvm.so+0x9de335]
> V  [libjvm.so+0x9de590]
> V  [libjvm.so+0x8a18b2]
> C  [libpthread.so.0+0x7aa1]
> Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
> j  org.wildfly.openssl.SSLImpl.getSessionId0(J)[B+0
> j  org.wildfly.openssl.SSLImpl.getSessionId(J)[B+1
> j  org.wildfly.openssl.OpenSSLEngine.shutdown()V+42
> j  org.wildfly.openssl.OpenSSLEngine.finalize()V+5
> J 1218 C1 java.lang.ref.Finalizer.runFinalizer(Lsun/misc/JavaLangAccess;)V (62 bytes) @ 0x00007fd4593dbf84 [0x00007fd4593dba00+0x584]
> J 1217 C1 java.lang.ref.Finalizer.access$100(Ljava/lang/ref/Finalizer;Lsun/misc/JavaLangAccess;)V (6 bytes) @ 0x00007fd4593db69c [0x00007fd4593db640+0x5c]
> j  java.lang.ref.Finalizer$FinalizerThread.run()V+45
> v  ~StubRoutines::call_stub{noformat}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the mod_cluster-issues mailing list