-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer,
On 8/3/20 07:03, Rainer Jung wrote: > Hi Chris, hi all, > > I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and > compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. > APR was always 1.7.0. Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which patches are you applying? > - build warnings for tcnative using OpenSSL 3.0.0alpha5: > > src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated > [-Wdeprecated-declarations] src/ssl.c:424:9: warning: > 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations] > src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated > [-Wdeprecated-declarations] src/ssl.c:426:13: warning: > 'ENGINE_free' is deprecated [-Wdeprecated-declarations] > src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is > deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning: > 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations] > src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated > [-Wdeprecated-declarations] src/ssl.c:817:17: warning: > 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations] > src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated > [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id' > is deprecated (declared at /path/to/include/openssl/engine.h:327) > src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated > (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425: > warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at > /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning: > 'ENGINE_free' is deprecated (declared at > /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning: > 'ENGINE_register_all_complete' is deprecated (declared at > /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning: > 'ENGINE_by_id' is deprecated (declared at > /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning: > 'ENGINE_ctrl' is deprecated (declared at > /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning: > 'ENGINE_set_default' is deprecated (declared at > /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning: > 'ENGINE_free' is deprecated (declared at > /path/to/include/openssl/engine.h:474) I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any indication of what replacement exists for this function. It seems that a huge number of functions have been deprecated in 3.0.x with very little explanation for how to update client code to be 3.0-compliant. > - test results: > > Only tested NIO and NIO2 connectors (couldn't easily do it for APR > for local reasons independent of OpenSSL). > > The tests have been run on RedHat Enterprise Linux 8 using the > following JVMs: > > - OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46 > - OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt > OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK > 1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu > 1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12 > > Alle tests succeeed with the follwoing exceptions. These do not > differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5: > > - zulu JDK 1.8.0 > > 2 errors for NIO and NIO2 in > org.apache.tomcat.util.net.TestClientCertTls13: > > Testcase: testClientCertPost took 2.327 sec Caused an ERROR > Received fatal alert: protocol_version > javax.net.ssl.SSLHandshakeException: Received fatal alert: > protocol_version at > sun.security.ssl.Alert.createSSLException(Alert.java:131) at > sun.security.ssl.Alert.createSSLException(Alert.java:117) at > sun.security.ssl.TransportContext.fatal(TransportContext.java:311) > at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at > sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) > > at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156) > at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197) > at > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: 1106) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370) > > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5 59) > > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect( AbstractDelegateHttpsURLConnection.java:185) > > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn ectionImpl.java:167) > > at > org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java :789) > > at > org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java :755) > > at > org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java :729) > > at > org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(Test ClientCertTls13.java:61) Interesting. > > Testcase: testClientCertGet took 0.169 sec > Caused an ERROR Received fatal alert: protocol_version > javax.net.ssl.SSLHandshakeException: Received fatal alert: > protocol_version at > sun.security.ssl.Alert.createSSLException(Alert.java:131) at > sun.security.ssl.Alert.createSSLException(Alert.java:117) at > sun.security.ssl.TransportContext.fatal(TransportContext.java:311) > at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at > sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) > > at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156) > at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197) > at > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java: 1106) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370) > > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5 59) > > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect( AbstractDelegateHttpsURLConnection.java:185) > > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn ectionImpl.java:167) > > at > org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja va:691) > > at > org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja va:665) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 659) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 653) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 638) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 632) > > at > org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestC lientCertTls13.java:45) Also > interesting. So it looks like TLSv1.3 without client certs works, but the client-cert tests are failing? > - RedHat JDK 1.8.0 > > 8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat > > Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took > 2.878 sec Caused an ERROR DHPublicKey does not comply to algorithm > constraints javax.net.ssl.SSLHandshakeException: DHPublicKey does > not comply to algorithm constraints at > sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237) at > sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.j ava:774) > > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java :287) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j ava:1367) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) > > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) > > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5 59) > > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect( AbstractDelegateHttpsURLConnection.java:185) > > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn ectionImpl.java:162) > > at > org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja va:691) > > at > org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja va:665) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 659) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 653) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 638) > > at > org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java: 632) > > at > org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostC onfigCompat.java:298) > > at > org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwit hRSAClient(TestSSLHostConfigCompat.java:131) > > > > and similar errors in > > Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took > 0.181 sec Testcase: > testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec > Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149 > sec Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took > 0.394 sec Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM] > took 0.185 sec Testcase: > testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec > Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec I'm assuming that this is a spec-upgrade and we are just using smelly certs in our tests. Does that sound about right? > Furthermore the test with OpenSSL 1.1.1g plus patches showed one > isolated JVM crash under Zulu with JDK 11 in > org.apache.tomcat.util.net.TestSsl for NIO2: > > Executable: /usr/local/zulu_jdk11/bin/java Control Group: / Slice: > -.slice Boot ID: 5b69924960db44f297aac21f912de346 Machine ID: > 11e20c69b48145c494c0005eb2e92d17 Hostname: esb-rhel8-64 Storage: > /var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de 346.8157.1596423433000000.lz4 > > Message: Process 8157 (java) of user 1200 dumped core. > > Stack trace of thread 8162: #0 0x00007f2a39bfe93f raise > (libc.so.6) #1 0x00007f2a39be8c95 abort (libc.so.6) #2 > 0x00007f2a39c41d57 __libc_message (libc.so.6) #3 > 0x00007f2a39c4868c malloc_printerr (libc.so.6) #4 > 0x00007f2a39c4a188 _int_free (libc.so.6) #5 0x00007f2a08b0d4f3 > apr_allocator_destroy (libapr-1.so.0) #6 0x00007f2a08b0df60 > apr_pool_terminate (libapr-1.so.0) #7 0x00007f2a1be0f1f0 n/a > (n/a) #8 0x00007f2a1be00849 n/a (n/a) #9 0x00007f2a38faab42 > _ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgum entsP6Thread > > (libjvm.so) > #10 0x00007f2a393b8de0 > _ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9Bas icTypeS5_bP6Thread > > (libjvm.so) > #11 0x00007f2a393b9bc3 > _ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Threa d > > (libjvm.so) > #12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so) #13 > 0x00007f2a239792b0 n/a (n/a) #14 0x00007f2a1c779a8c n/a (n/a) > > I ran the test with 2 threads in parallel. It looks like a > possible thread safety issue (race condition) during shutdown. > Seems not to be strictly reproducible. Does higher concurrency improve the reliability of this failure? > So far this means OpenSSL 3.0.0 looks good :) That IS good news. Thanks, - -chris > Am 01.08.2020 um 19:12 schrieb Christopher Schultz: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Rainer, >> >> On 8/1/20 11:44, Rainer Jung wrote: >>> Sorry, wrong dev list. >> >> I thought it was interesting anyway :) >> >> How about libtcnative built against OpenSSL 3.0.0? > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8oOrAACgkQHPApP6U8 pFh/og/+LLhkI0r3u726xKCIM7Oviy2wiz8UsPmHy0G/0tv8nZKCLJ4rDR27cG70 NCFD5kc7wcSlB2CsEqONpD2h37vWMJo5oIrguDdKyjn1p2fD2+8QWv5nFrfsd2d6 4UXgLvlJm4O95MpkEF1O5gfR24bDhHwg1EYogcUhtpll9oS4XWXpEpvQSOq9hBFz DXuoqriU2F/tK+2JLsGavnTf0EKwBwg7Afd2QhEw0GPbhgkV4xylR7sWptS25bEU 9QkFhF+1Ba4UKex3WnfP+uLwY12fkFWFhMKiUVDAjsUDq7EGF0WAUQYjCC/VBd89 Vane1qeIzdU9LypMol9NuMAS5S0Mn5k0f/BP3QrfN2Bc+3tA9lBML9qsS84nrc9l IP2PILGXD7jr4bK7l6VLV7booLpDUK2+nEegtQTCadEr89U3xX1fnGJfyOb5rxXx nqV9HES5h7wRzl9xtd3u4KtRC3tNhbVnFaJdsG1igmxr6AF7O0zMUjQyu2RTNx/G 813RmcWe8jorEq67tAGOl/imn764fxerWhqUOMxN/TVOcSj1YwkymkDWRs+UOzQR ooyx/bUVMsW98cPKUBB00VN881axXgorP98rCsm4HkzJxD3NvXRLUvOuk2p9RoQU ai/VhMGxtlR95V8qK4zdbp+zvvew7ZkQTJJw9bb2br62qMvqBIc= =JcGj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
