[
https://issues.apache.org/jira/browse/SOLR-12990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867081#comment-16867081
]
Hoss Man commented on SOLR-12990:
---------------------------------
ah ... wait a minute...
{quote}...but Dat's commits yesterday already force TLSv1.2 ... so is this yet
another TLSv1.3 bug in the JDK...
{quote}
...looking over Dat's
[6d5453d508|https://gitbox.apache.org/repos/asf?p=lucene-solr.git;a=commitdiff;h=c838289;hp=6d5453d508bd9609ccaaec06c62c0adebc7496d8]
commit more closely, i realize now that it _only_ uses
getSupportedSSLProtocols() / SUPPORTED_SSL_PROTOCOLS when checkPeerName=true
... which means most tests (except
TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName IIUC ... it's not a
variable we randomize at the moment) should still be using the system default
protocol, which is going to be TLSv1.3 on java11.
So that suggests that upgrading to 11.0.3 to get theabove mentioned JDK fixes
might be all we need.
> High test failure rate on Java11/12 when (randomized) ssl=true
> clientAuth=false
> -------------------------------------------------------------------------------
>
> Key: SOLR-12990
> URL: https://issues.apache.org/jira/browse/SOLR-12990
> Project: Solr
> Issue Type: Bug
> Reporter: Hoss Man
> Priority: Major
> Labels: Java11, Java12
> Attachments: DistributedDebugComponentTest.ssl.debug.log.txt,
> enable.ssl.debug.patch
>
>
> Ever since the policeman's Jenkins instance started running tests on Java11,
> we've seen an abnormally high number of test failures that seem to be related
> to randomzed ssl.
> I've been investigating these logs, and trying to reproduce and have found
> the following observations:
> * In all the policeman jenkins logs i looked at, these SSL related failures
> only occur when the RandomizeSSL annotation picks {{ssl=true
> clientAuth=false}}
> ** NOTE: this doesn't mean that every test using {{ssl=true
> clientAuth=false}} failed -- since our build system only prints test output
> when tests fail, it's possible/probably (based on how often the value should
> be picked) that many tests randomly use {{ssl=true clientAuth=false}} and pass
> * the failures usually showed an exception that was {{Caused by:
> javax.net.ssl.SSLException: Received fatal alert: internal_error}} in the
> logs.
> * when i attempted to re-produce some of these failing seeds on my own
> machine using Java11, i could not _reliably_ reproduce these failures w/the
> same seeds
> ** beasting could _occasionally_ reproduce the failures, at roughly 1/10 runs
> ** suggesting that system load/timing contributed to these SSL related
> failures
> * picking one particularly trivial test (DistributedDebugComponentTest)
> ** with {{javax.net.debug=all}} enabled, i was able to see more details...
> *** notably: {{Fatal (INTERNAL_ERROR): Session has no PSK}}
> ** when I patched the test to force {{ssl=true clientAuth=true}} I was unable
> to trigger any failures with the same seed.
> * on the jira/http2 branch I was unable to reproduce these failures at all,
> w/o any patching
> ** similar to SOLR-12988, this may be because of bug fixes in the upgraded
> jetty.
> ----
> Filing this issue largely for tracking purpose, although we may also want to
> use it for discussions/considerations of other backports/fixes to 7x
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
