Hi Chris, hi all,
I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and compared
them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. APR was always
1.7.0.
- build warnings for tcnative using OpenSSL 3.0.0alpha5:
src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:424:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:426:13: warning: 'ENGINE_free' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:809:13: warning: 'ENGINE_by_id' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:817:17: warning: 'ENGINE_set_default' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:422: warning: 'ENGINE_by_id' is deprecated (declared at
/path/to/include/openssl/engine.h:327)
src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared
at /path/to/include/openssl/engine.h:462)
src/ssl.c:425: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared
at /path/to/include/openssl/engine.h:462)
src/ssl.c:426: warning: 'ENGINE_free' is deprecated (declared at
/path/to/include/openssl/engine.h:474)
src/ssl.c:806: warning: 'ENGINE_register_all_complete' is deprecated
(declared at /path/to/include/openssl/engine.h:407)
src/ssl.c:809: warning: 'ENGINE_by_id' is deprecated (declared at
/path/to/include/openssl/engine.h:327)
src/ssl.c:815: warning: 'ENGINE_ctrl' is deprecated (declared at
/path/to/include/openssl/engine.h:419)
src/ssl.c:817: warning: 'ENGINE_set_default' is deprecated (declared at
/path/to/include/openssl/engine.h:652)
src/ssl.c:822: warning: 'ENGINE_free' is deprecated (declared at
/path/to/include/openssl/engine.h:474)
- test results:
Only tested NIO and NIO2 connectors (couldn't easily do it for APR for
local reasons independent of OpenSSL).
The tests have been run on RedHat Enterprise Linux 8 using the following
JVMs:
- OpenJDK 1.8.0_262-b10
- OpenJDK 11.0.8+10
- OpenJDK 14.0.2+12-46
- OpenJDK 15-ea+31-1502
- Adopt OpenJDK 1.8.0_262-b10
- Adopt OpenJDK 11.0.8+10
- Adopt OpenJDK 14.0.2+12
- RedHat OpenJDK 1.8.0_201-b09
- RedHat OpenJDK 11.0.2+7-LTS
- Azul Zulu 1.8.0_262-b18
- Azul Zulu 11.0.8+10-LTS
- Azul 14.0.2+12
Alle tests succeeed with the follwoing exceptions. These do not differ
between OpenSSL 1.1.1g plus patches and 3.0.0alpha5:
- zulu JDK 1.8.0
2 errors for NIO and NIO2 in org.apache.tomcat.util.net.TestClientCertTls13:
Testcase: testClientCertPost took 2.327 sec
Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:789)
at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:755)
at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:729)
at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:61)
Testcase: testClientCertGet took 0.169 sec
Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:691)
at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:659)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:653)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:638)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:632)
at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:45)
- RedHat JDK 1.8.0
8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat
Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 2.878 sec
Caused an ERROR
DHPublicKey does not comply to algorithm constraints
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to
algorithm constraints
at sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237)
at
sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:774)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:287)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:691)
at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:659)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:653)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:638)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:632)
at
org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostConfigCompat.java:298)
at
org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwithRSAClient(TestSSLHostConfigCompat.java:131)
and similar errors in
Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took 0.181 sec
Testcase: testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149 sec
Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took 0.394 sec
Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM] took 0.185 sec
Testcase: testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec
Furthermore the test with OpenSSL 1.1.1g plus patches showed one
isolated JVM crash under Zulu with JDK 11 in
org.apache.tomcat.util.net.TestSsl for NIO2:
Executable: /usr/local/zulu_jdk11/bin/java
Control Group: /
Slice: -.slice
Boot ID: 5b69924960db44f297aac21f912de346
Machine ID: 11e20c69b48145c494c0005eb2e92d17
Hostname: esb-rhel8-64
Storage:
/var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de346.8157.1596423433000000.lz4
Message: Process 8157 (java) of user 1200 dumped core.
Stack trace of thread 8162:
#0 0x00007f2a39bfe93f raise (libc.so.6)
#1 0x00007f2a39be8c95 abort (libc.so.6)
#2 0x00007f2a39c41d57 __libc_message (libc.so.6)
#3 0x00007f2a39c4868c malloc_printerr (libc.so.6)
#4 0x00007f2a39c4a188 _int_free (libc.so.6)
#5 0x00007f2a08b0d4f3 apr_allocator_destroy
(libapr-1.so.0)
#6 0x00007f2a08b0df60 apr_pool_terminate (libapr-1.so.0)
#7 0x00007f2a1be0f1f0 n/a (n/a)
#8 0x00007f2a1be00849 n/a (n/a)
#9 0x00007f2a38faab42
_ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgumentsP6Thread
(libjvm.so)
#10 0x00007f2a393b8de0
_ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9BasicTypeS5_bP6Thread
(libjvm.so)
#11 0x00007f2a393b9bc3
_ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Thread
(libjvm.so)
#12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so)
#13 0x00007f2a239792b0 n/a (n/a)
#14 0x00007f2a1c779a8c n/a (n/a)
I ran the test with 2 threads in parallel. It looks like a possible
thread safety issue (race condition) during shutdown. Seems not to be
strictly reproducible.
So far this means OpenSSL 3.0.0 looks good :)
Regards,
Rainer
Am 01.08.2020 um 19:12 schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rainer,
On 8/1/20 11:44, Rainer Jung wrote:
Sorry, wrong dev list.
I thought it was interesting anyway :)
How about libtcnative built against OpenSSL 3.0.0?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org