On my local tests I usually don't get the error because I am using jdk11 and unlimited strength cryptography is enabled by default https://www.oracle.com/technetwork/java/javase/documentation/jdk11-readme-5097204.html#jce
In production it depends on the configuration of SSL, if you require strong ciphers/big keys you will have problems, but the server won't start so you will find soon the problem. I think this is not a real issue (for production I mean). I see these ways: 1) adapt the tests in order to make default jdk8 happy 2) tweak the tests enabling "unlimited strenght cryptography" using reflection 3) just write a line in documentation that says that in order to make tests pass you have to enable the flag That flag is deprecated and enabled by default in modern JREs, so I would go for 2) or 3) I guess that on ASF Jenkins if the JDK8 we are using has the flag turned on Enrico Il giorno sab 27 apr 2019 alle ore 17:48 Andor Molnar <an...@apache.org> ha scritto: > > I’m running the tests fine without setting the policy to unlimited: > > java version "1.8.0_161" > Java(TM) SE Runtime Environment (build 1.8.0_161-b12) > Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode) > > Have you tried to run it with a more recent version of Java? > > Andor > > > > > On 2019. Apr 27., at 17:33, Andor Molnar <an...@apache.org> wrote: > > > > Good catch, thanks Flavio for reporting this. We need to double check the > > tests with Ilya I believe. > > > > Having tests failure means that you were actually able to _build_ ZooKeeper > > successfully without changing the crypto policy setting. Have you tried to > > start an ensemble with Quorum TLS by any chance? That would add some more > > color to this issue. > > > > This might be just a testing issue. > > > > Regards, > > Andor > > > > > > > >> On 2019. Apr 27., at 16:09, Flavio Junqueira <f...@apache.org> wrote: > >> > >> Hi Enrico, > >> > >> Here is the info you are requesting: > >> > >> *Java version* > >> > >> $ java -version > >> java version "1.8.0_152" > >> Java(TM) SE Runtime Environment (build 1.8.0_152-b16) > >> Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode) > >> > >> *Test case errors* > >> > >> I won’t post all of them, I get a good number of errors: > >> > >> ================================ > >> [ERROR] Tests run: 64, Failures: 0, Errors: 16, Skipped: 0, Time elapsed: > >> 9.21 s <<< FAILURE! - in org.apache.zookeeper.util.PemReaderTest > >> [ERROR] > >> testLoadCertificateFromKeyStore[1](org.apache.zookeeper.util.PemReaderTest) > >> Time elapsed: 1.593 s <<< ERROR! > >> java.io.IOException: org.bouncycastle.operator.OperatorCreationException: > >> Illegal key size or default parameters > >> at > >> org.apache.zookeeper.util.PemReaderTest.testLoadCertificateFromKeyStore(PemReaderTest.java:125) > >> Caused by: org.bouncycastle.operator.OperatorCreationException: Illegal > >> key size or default parameters > >> at > >> org.apache.zookeeper.util.PemReaderTest.testLoadCertificateFromKeyStore(PemReaderTest.java:125) > >> Caused by: java.security.InvalidKeyException: Illegal key size or default > >> parameters > >> at > >> org.apache.zookeeper.util.PemReaderTest.testLoadCertificateFromKeyStore(PemReaderTest.java:125) > >> > >> [ERROR] > >> testLoadEncryptedPrivateKeyFromKeyStoreWithWrongPassword[1](org.apache.zookeeper.util.PemReaderTest) > >> Time elapsed: 0.004 s <<< ERROR! > >> java.lang.Exception: Unexpected exception, > >> expected<java.security.GeneralSecurityException> but > >> was<java.io.IOException> > >> at > >> org.apache.zookeeper.util.PemReaderTest.testLoadEncryptedPrivateKeyFromKeyStoreWithWrongPassword(PemReaderTest.java:93) > >> Caused by: org.bouncycastle.operator.OperatorCreationException: Illegal > >> key size or default parameters > >> at > >> org.apache.zookeeper.util.PemReaderTest.testLoadEncryptedPrivateKeyFromKeyStoreWithWrongPassword(PemReaderTest.java:93) > >> Caused by: java.security.InvalidKeyException: Illegal key size or default > >> parameters > >> at > >> org.apache.zookeeper.util.PemReaderTest.testLoadEncryptedPrivateKeyFromKeyStoreWithWrongPassword(PemReaderTest.java:93) > >> ... > >> ================================ > >> > >> > >> *Crypto policy* > >> If I uncomment this configuration option: > >> > >> # Please see the JCA documentation for additional information on these > >> # files and formats. > >> # crypto.policy=unlimited > >> > >> in: > >> > >> $JAVA_HOME/jre/lib/security/java.security > >> > >> then it all works and I get no error at all. This option controls > >> cryptographic strengths according to the documentation, and is present > >> because of crypto regulations in different countries. > >> > >> Thanks, > >> -Flavio > >> > >>> On 27 Apr 2019, at 15:52, Enrico Olivelli <eolive...@gmail.com> wrote: > >>> > >>> Il sab 27 apr 2019, 14:18 Flavio Junqueira <f...@apache.org> ha scritto: > >>> > >>>> I have a clarification question about the RC. To build the RC, I had to > >>>> enable crypto.policy unlimited in the jre (I'm using build > >>>> 1.8.0_152-b16). > >>> > >>> > >>> Flavio > >>> What do you mean with 'build' ? > >>> Make tests pass? > >>> AFAIK we are not using tweaked jdks in CI builds, so in theory there is no > >>> need. > >>> > >>> Can you please share your error? > >>> > >>> Enrico > >>> > >>> > >>> I'm wondering if this is going to be an issue for some users as this > >>> option > >>>> is related to import/export regulation. Has anyone looked into it and > >>>> could > >>>> clarify it to me, please? > >>>> > >>>> Thanks, > >>>> -Flavio > >>>> > >>>> > >>>>> On 25 Apr 2019, at 15:10, Andor Molnar <an...@apache.org> wrote: > >>>>> > >>>>> This is the first stable release of 3.5 branch: 3.5.5. It resolves 117 > >>>> issues, including Maven migration, Quorum TLS, TTL nodes and lots of > >>>> other > >>>> performance and stability improvements. > >>>>> > >>>>> The full release notes is available at: > >>>>> > >>>>> > >>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12343268 > >>>>> > >>>>> *** Please download, test and vote by May 3rd 2019, 23:59 UTC+0. *** > >>>>> > >>>>> Source files: > >>>>> https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.5.5-rc5/ > >>>>> > >>>>> Maven staging repos: > >>>>> > >>>> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/parent/3.5.5/ > >>>>> > >>>> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper-jute/3.5.5/ > >>>>> > >>>> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.5/ > >>>>> > >>>>> The release candidate tag in git to be voted upon: release-3.5.5-rc5 > >>>>> > >>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the release: > >>>>> http://www.apache.org/dist/zookeeper/KEYS > >>>>> > >>>>> Should we release this candidate? > >>>>> > >>>> > >>>> > >> > > >
