First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

Mon, 03 Aug 2020 04:05:02 -0700 

Hi Chris, hi all,
I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. APR was always 1.7.0. 

- build warnings for tcnative using OpenSSL 3.0.0alpha5:


src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:424:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:426:13: warning: 'ENGINE_free' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:809:13: warning: 'ENGINE_by_id' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:817:17: warning: 'ENGINE_set_default' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated 
[-Wdeprecated-declarations]
src/ssl.c:422: warning: 'ENGINE_by_id' is deprecated (declared at 
/path/to/include/openssl/engine.h:327)
src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared 
at /path/to/include/openssl/engine.h:462)
src/ssl.c:425: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared 
at /path/to/include/openssl/engine.h:462)
src/ssl.c:426: warning: 'ENGINE_free' is deprecated (declared at 
/path/to/include/openssl/engine.h:474)
src/ssl.c:806: warning: 'ENGINE_register_all_complete' is deprecated 
(declared at /path/to/include/openssl/engine.h:407)
src/ssl.c:809: warning: 'ENGINE_by_id' is deprecated (declared at 
/path/to/include/openssl/engine.h:327)
src/ssl.c:815: warning: 'ENGINE_ctrl' is deprecated (declared at 
/path/to/include/openssl/engine.h:419)
src/ssl.c:817: warning: 'ENGINE_set_default' is deprecated (declared at 
/path/to/include/openssl/engine.h:652)
src/ssl.c:822: warning: 'ENGINE_free' is deprecated (declared at 
/path/to/include/openssl/engine.h:474)


- test results:


Only tested NIO and NIO2 connectors (couldn't easily do it for APR for 
local reasons independent of OpenSSL).



The tests have been run on RedHat Enterprise Linux 8 using the following 
JVMs:


- OpenJDK 1.8.0_262-b10
- OpenJDK 11.0.8+10
- OpenJDK 14.0.2+12-46
- OpenJDK 15-ea+31-1502
- Adopt OpenJDK 1.8.0_262-b10
- Adopt OpenJDK 11.0.8+10
- Adopt OpenJDK 14.0.2+12
- RedHat OpenJDK 1.8.0_201-b09
- RedHat OpenJDK 11.0.2+7-LTS
- Azul Zulu 1.8.0_262-b18
- Azul Zulu 11.0.8+10-LTS
- Azul 14.0.2+12


Alle tests succeeed with the follwoing exceptions. These do not differ 
between OpenSSL 1.1.1g plus patches and 3.0.0alpha5:


- zulu  JDK 1.8.0

2 errors for NIO and NIO2 in org.apache.tomcat.util.net.TestClientCertTls13:

Testcase: testClientCertPost took 2.327 sec
        Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)

        at 
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)

        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)

        at 
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)

        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)

        at 
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
        at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:789)
        at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:755)
        at 
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:729)
        at 
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:61)


Testcase: testClientCertGet took 0.169 sec
        Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)

        at 
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)

        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)

        at 
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)

        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)

        at 
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
        at 
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:691)
        at 
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:659)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:653)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:638)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:632)
        at 
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:45)



- RedHat JDK 1.8.0

8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat

Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 2.878 sec
        Caused an ERROR
DHPublicKey does not comply to algorithm constraints

javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to 
algorithm constraints

        at sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237)

        at 
sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:774)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:287)

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)

        at 
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
        at 
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:691)
        at 
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:659)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:653)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:638)
        at 
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:632)
        at 
org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostConfigCompat.java:298)
        at 
org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwithRSAClient(TestSSLHostConfigCompat.java:131)


and similar errors in

Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took 0.181 sec
Testcase: testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149 sec
Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took 0.394 sec
Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM] took 0.185 sec
Testcase: testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec



Furthermore the test with OpenSSL 1.1.1g plus patches showed one 
isolated JVM crash under Zulu with JDK 11 in 
org.apache.tomcat.util.net.TestSsl for NIO2:


    Executable: /usr/local/zulu_jdk11/bin/java
 Control Group: /
         Slice: -.slice
       Boot ID: 5b69924960db44f297aac21f912de346
    Machine ID: 11e20c69b48145c494c0005eb2e92d17
      Hostname: esb-rhel8-64

       Storage: 
/var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de346.8157.1596423433000000.lz4

       Message: Process 8157 (java) of user 1200 dumped core.

                Stack trace of thread 8162:
                #0  0x00007f2a39bfe93f raise (libc.so.6)
                #1  0x00007f2a39be8c95 abort (libc.so.6)
                #2  0x00007f2a39c41d57 __libc_message (libc.so.6)
                #3  0x00007f2a39c4868c malloc_printerr (libc.so.6)
                #4  0x00007f2a39c4a188 _int_free (libc.so.6)

                #5  0x00007f2a08b0d4f3 apr_allocator_destroy 
(libapr-1.so.0)

                #6  0x00007f2a08b0df60 apr_pool_terminate (libapr-1.so.0)
                #7  0x00007f2a1be0f1f0 n/a (n/a)
                #8  0x00007f2a1be00849 n/a (n/a)

                #9  0x00007f2a38faab42 
_ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgumentsP6Thread 
(libjvm.so)
                #10 0x00007f2a393b8de0 
_ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9BasicTypeS5_bP6Thread 
(libjvm.so)
                #11 0x00007f2a393b9bc3 
_ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Thread 
(libjvm.so)

                #12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so)
                #13 0x00007f2a239792b0 n/a (n/a)
                #14 0x00007f2a1c779a8c n/a (n/a)


I ran the test with 2 threads in parallel. It looks like a possible 
thread safety issue (race condition) during shutdown. Seems not to be 
strictly reproducible.


So far this means OpenSSL 3.0.0 looks good :)

Regards,

Rainer

Am 01.08.2020 um 19:12 schrieb Christopher Schultz:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rainer,

On 8/1/20 11:44, Rainer Jung wrote:

Sorry, wrong dev list.


I thought it was interesting anyway :)

How about libtcnative built against OpenSSL 3.0.0?


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to