Chris,
On 10/2/2018 7:25 AM, Christopher Schultz wrote:
On 10/2/18 01:58, Igal Sapir wrote:
When trying to run the unit test cases with `ant clean test` on the
current trunk [1] I am getting two (per connector) failures:
org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
FAILED [3]
Server version: Apache Tomcat/9.0.13-dev Server built: Oct 2 2018
05:24:55 UTC Server number: 9.0.13.0 OS Name: Linux OS
Version: 4.18.9-200.fc28.x86_64 Architecture: amd64 JVM
Version: 1.8.0_181-b13 JVM Vendor: Oracle Corporation
Am I missing something? Other than the obvious "missing ciphers",
that is.
AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL
versions in order to have this test work, because it tests all cipher
suites that have been configured in the test-case(s).
Some of those are the super-new ones that might not be supported by
your local version of OpenSSL.
Some of them may be cipher-suites that have been compiled-out of
OpenSSL in recent builds. You may want to take a look at the list of
cipher suites that are failing and then ask openssl if they are
supported (e.g. "openssl ciphers 'ALL'".
The same is true for the "IBM cipher suites" which all have different
names for some reason. OpenSSL and JSSE already disagree about the
names of cipher suites, and IBM had to go their own way, too. If you
don't have an IBM JRE then you won't be able to test those suites.
Let's take an example from OpenSSL where your tests are failing:
Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED
ECDHE-ARIA128-GCM-SHA256+TLSv1.2
DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
expected:<0> but was:<16>
Without looking at the code, I suspect that the test was intended to
select certain ciphers with some attribute. The test case expects zero
cipher suites to be available, but your environment provides 16
matching cipher suites.
If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep
ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output:
ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH
Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384
TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA
Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2
Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA
Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH
Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256
TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD
RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA
Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2
Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384
TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD
PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK
Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2
Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD
DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK
Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA
Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2
Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD
There are 16 items in that list. Perhaps you are using the latest
OpenSSL but the test isn't prepared for them.
I think it's "okay" that this test is failing for you, but it's
probably worth looking into why it's happening and trying to alter the
test to cope with that situation.
Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not
have caught-up with what's in there, yet.
But this is weird:
Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but
got 0 for the specification 'ARIA128' expected:
Above, you have ARIA ciphers available, but in this test, they weren't
found. That could represent a bug in the test. Time to dive into the
cipher suite cross-match detection code, Igal! ;)
Thank you for the detailed explanation.
I will look into it and will post more information if I find anything
useful.
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
