Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

Mon, 03 Aug 2020 12:39:46 -0700 

Hi Chris, hi all,
I can't currently analyze the observed few failures that also happen in 1.1.1 due to time constraints. 


The patches for 1.1.1 I mentioned are just that I typically use a 
slightly newer version than the released one, because OpenSSL often 
accumulates quite a few patches before doing a release. Not saying this 
is good to do, it's just what is most easily available to me. In the 
case here it was 1.1.1g plus everything that was committed to the 1.1.1 
branch until 2020-07-11. There's noting specifically needed for tcnative.



I think the concept of ENGINE was mostly replaced by providers in 
OpenSSL 3.0.0. I haven't checked the details, but some info is available 
here


https://wiki.openssl.org/index.php/OpenSSL_3.0

and here

https://www.openssl.org/docs/OpenSSL300Design.html


I mostly wanted to provide a short notice, that currently it seems we 
can support 3.0.0 once it gets a GA release with only very little 
effort, hopefully with out code as-is.


Best regards,

Rainer

Am 03.08.2020 um 18:26 schrieb Christopher Schultz:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rainer,

On 8/3/20 07:03, Rainer Jung wrote:

Hi Chris, hi all,

I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and
compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches.
APR was always 1.7.0.


Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which
patches are you applying?


- build warnings for tcnative using OpenSSL 3.0.0alpha5:

src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated
[-Wdeprecated-declarations] src/ssl.c:424:9: warning:
'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated
[-Wdeprecated-declarations] src/ssl.c:426:13: warning:
'ENGINE_free' is deprecated [-Wdeprecated-declarations]
src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is
deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning:
'ENGINE_by_id' is deprecated [-Wdeprecated-declarations]
src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated
[-Wdeprecated-declarations] src/ssl.c:817:17: warning:
'ENGINE_set_default' is deprecated [-Wdeprecated-declarations]
src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated
[-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id'
is deprecated (declared at /path/to/include/openssl/engine.h:327)
src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated
(declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425:
warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at
/path/to/include/openssl/engine.h:462) src/ssl.c:426: warning:
'ENGINE_free' is deprecated (declared at
/path/to/include/openssl/engine.h:474) src/ssl.c:806: warning:
'ENGINE_register_all_complete' is deprecated (declared at
/path/to/include/openssl/engine.h:407) src/ssl.c:809: warning:
'ENGINE_by_id' is deprecated (declared at
/path/to/include/openssl/engine.h:327) src/ssl.c:815: warning:
'ENGINE_ctrl' is deprecated (declared at
/path/to/include/openssl/engine.h:419) src/ssl.c:817: warning:
'ENGINE_set_default' is deprecated (declared at
/path/to/include/openssl/engine.h:652) src/ssl.c:822: warning:
'ENGINE_free' is deprecated (declared at
/path/to/include/openssl/engine.h:474)


I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any
indication of what replacement exists for this function. It seems that
a huge number of functions have been deprecated in 3.0.x with very
little explanation for how to update client code to be 3.0-compliant.


- test results:

Only tested NIO and NIO2 connectors (couldn't easily do it for APR
for local reasons independent of OpenSSL).

The tests have been run on RedHat Enterprise Linux 8 using the
following JVMs:

- OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46
- OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt
OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK
1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu
1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12

Alle tests succeeed with the follwoing exceptions. These do not
differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5:

- zulu  JDK 1.8.0

2 errors for NIO and NIO2 in
org.apache.tomcat.util.net.TestClientCertTls13:

Testcase: testClientCertPost took 2.327 sec Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert:
protocol_version at
sun.security.ssl.Alert.createSSLException(Alert.java:131) at
sun.security.ssl.Alert.createSSLException(Alert.java:117) at
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)



at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)

at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:

1106)




at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)



at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)



at

sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5

59)




at

sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(

AbstractDelegateHttpsURLConnection.java:185)


  at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn

ectionImpl.java:167)


  at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java

:789)




at

org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java

:755)




at

org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java

:729)




at

org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(Test

ClientCertTls13.java:61)


Interesting.






Testcase: testClientCertGet took 0.169 sec

Caused an ERROR Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert:
protocol_version at
sun.security.ssl.Alert.createSSLException(Alert.java:131) at
sun.security.ssl.Alert.createSSLException(Alert.java:117) at
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)



at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)

at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:

1106)




at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)



at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)



at

sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5

59)




at

sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(

AbstractDelegateHttpsURLConnection.java:185)


  at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn

ectionImpl.java:167)


  at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja

va:691)


  at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja

va:665)


  at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

659)




at

org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

653)




at

org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

638)




at

org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

632)




at

org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestC

lientCertTls13.java:45)

Also



interesting.

So it looks like TLSv1.3 without client certs works, but the
client-cert tests are failing?


- RedHat JDK 1.8.0

8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat

Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took
2.878 sec Caused an ERROR DHPublicKey does not comply to algorithm
constraints javax.net.ssl.SSLHandshakeException: DHPublicKey does
not comply to algorithm constraints at
sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237) at
sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.j

ava:774)


  at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java

:287)




at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j

ava:1367)


  at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)



at

sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)



at

sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5

59)




at

sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(

AbstractDelegateHttpsURLConnection.java:185)


  at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn

ectionImpl.java:162)


  at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja

va:691)


  at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja

va:665)


  at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

659)




at

org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

653)




at

org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

638)




at

org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:

632)




at

org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostC

onfigCompat.java:298)


  at
org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwit

hRSAClient(TestSSLHostConfigCompat.java:131)




and similar errors in

Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took
0.181 sec Testcase:
testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149
sec Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took
0.394 sec Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM]
took 0.185 sec Testcase:
testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec


I'm assuming that this is a spec-upgrade and we are just using smelly
certs in our tests. Does that sound about right?



Furthermore the test with OpenSSL 1.1.1g plus patches showed one
isolated JVM crash under Zulu with JDK 11 in
org.apache.tomcat.util.net.TestSsl for NIO2:

Executable: /usr/local/zulu_jdk11/bin/java Control Group: / Slice:
-.slice Boot ID: 5b69924960db44f297aac21f912de346 Machine ID:
11e20c69b48145c494c0005eb2e92d17 Hostname: esb-rhel8-64 Storage:
/var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de

346.8157.1596423433000000.lz4


  Message: Process 8157 (java) of user 1200 dumped core.

Stack trace of thread 8162: #0  0x00007f2a39bfe93f raise
(libc.so.6) #1  0x00007f2a39be8c95 abort (libc.so.6) #2
0x00007f2a39c41d57 __libc_message (libc.so.6) #3
0x00007f2a39c4868c malloc_printerr (libc.so.6) #4
0x00007f2a39c4a188 _int_free (libc.so.6) #5  0x00007f2a08b0d4f3
apr_allocator_destroy (libapr-1.so.0) #6  0x00007f2a08b0df60
apr_pool_terminate (libapr-1.so.0) #7  0x00007f2a1be0f1f0 n/a
(n/a) #8  0x00007f2a1be00849 n/a (n/a) #9  0x00007f2a38faab42
_ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgum

entsP6Thread




(libjvm.so)

#10 0x00007f2a393b8de0
_ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9Bas

icTypeS5_bP6Thread




(libjvm.so)

#11 0x00007f2a393b9bc3
_ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Threa

d




(libjvm.so)

#12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so) #13
0x00007f2a239792b0 n/a (n/a) #14 0x00007f2a1c779a8c n/a (n/a)

I ran the test with 2 threads in parallel. It looks like a
possible thread safety issue (race condition) during shutdown.
Seems not to be strictly reproducible.


Does higher concurrency improve the reliability of this failure?


So far this means OpenSSL 3.0.0 looks good :)


That IS good news.

Thanks,
- -chris



Am 01.08.2020 um 19:12 schrieb Christopher Schultz:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Rainer,

On 8/1/20 11:44, Rainer Jung wrote:

Sorry, wrong dev list.


I thought it was interesting anyway :)

How about libtcnative built against OpenSSL 3.0.0?


---------------------------------------------------------------------



To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For additional commands, e-mail: dev-h...@tomcat.apache.org


-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8oOrAACgkQHPApP6U8
pFh/og/+LLhkI0r3u726xKCIM7Oviy2wiz8UsPmHy0G/0tv8nZKCLJ4rDR27cG70
NCFD5kc7wcSlB2CsEqONpD2h37vWMJo5oIrguDdKyjn1p2fD2+8QWv5nFrfsd2d6
4UXgLvlJm4O95MpkEF1O5gfR24bDhHwg1EYogcUhtpll9oS4XWXpEpvQSOq9hBFz
DXuoqriU2F/tK+2JLsGavnTf0EKwBwg7Afd2QhEw0GPbhgkV4xylR7sWptS25bEU
9QkFhF+1Ba4UKex3WnfP+uLwY12fkFWFhMKiUVDAjsUDq7EGF0WAUQYjCC/VBd89
Vane1qeIzdU9LypMol9NuMAS5S0Mn5k0f/BP3QrfN2Bc+3tA9lBML9qsS84nrc9l
IP2PILGXD7jr4bK7l6VLV7booLpDUK2+nEegtQTCadEr89U3xX1fnGJfyOb5rxXx
nqV9HES5h7wRzl9xtd3u4KtRC3tNhbVnFaJdsG1igmxr6AF7O0zMUjQyu2RTNx/G
813RmcWe8jorEq67tAGOl/imn764fxerWhqUOMxN/TVOcSj1YwkymkDWRs+UOzQR
ooyx/bUVMsW98cPKUBB00VN881axXgorP98rCsm4HkzJxD3NvXRLUvOuk2p9RoQU
ai/VhMGxtlR95V8qK4zdbp+zvvew7ZkQTJJw9bb2br62qMvqBIc=
=JcGj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to