cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laszlo Hornyak <laszlo.horn...@gmail.com>
Subject Re: SSL and JCE
Date Tue, 12 Nov 2013 21:02:34 GMT
OpenJDK 6: working ok
OpenJDK 7: working ok
Oracle JDK 6: JCE install required
Oracle JDK 7: ?  - did those jce policy files work for anyone in oracle jdk
1.7?

I believe it is not really user-friendly, but acceptable both from legal
(not a lawyer) and usability perspective if we tell the system
administrator that if he/she is using Oracle JDK AND want to use encryption
with more than X (128 afaik - not much) bit encryption, then it will
require the Oracle JCE policies installed in the JDK. It is true that JCE
policies are not redistributable, but the same is true for Oracle JDK.
These are not distributed with ACS and are part of the java runtime
environment.
Anyway, this should be clearly documented in the product documentation.

Tests: I am just testing a patch that detects the JDK vendor as much as
possible and it skips the tests if the environment is not OpenJDK. It can
be overridden by build parameters. I will need some feedback on this since
I do not have all java versions on my laptop and I could not test with all
possible scenarios.

Thank you,
Laszlo

On Tue, Nov 12, 2013 at 3:17 PM, Chip Childers <chipchilders@apache.org>wrote:

> IMO - having this as a requirement for a build is a bit of an issue.
> First, we can't distribute it (obviously).  Second, it's a bit of an
> esoteric requirement if you are using a JDK that doesn't include it
> automatically.  This will lead to confusion.
>
> Is there a way that we can re-work the tests to accomplish a similar (or
> close-enough) goal without this added dependency?
>
> -chip
>
> On Tue, Nov 12, 2013 at 08:23:10AM +0100, Laszlo Hornyak wrote:
> > It seems OpenJDK 6 and 7 are ok. Oracle jdk 6 needs JCE, oracle jdk 7 may
> > need another extension (the JCE for jdk6 did not work for me).
> > I would recommend that we @Ignore the failing tests, add some assumption
> or
> > move them to a special test group which is not executed by default.
> >
> >
> > On Tue, Nov 12, 2013 at 7:28 AM, Koushik Das <koushik.das@citrix.com>
> wrote:
> >
> > > The following tests are failing in my environment even with the JCE
> > > extensions.
> > >
> > >         /* Test7: If no chain is given, the certificate should be self
> > > signed. Else, uploadShould Fail */
> > >         runUploadSslCertNoChain();
> > >
> > >         /* Test8: Chain is given but does not have root certificate */
> > >         runUploadSslCertNoRootCert();
> > >
> > >         /* Test9: The chain given is not the correct chain for the
> > > certificate */
> > >         runUploadSslCertBadChain();
> > >
> > >         /* Test12: Given a certificate signed by a CA and a valid CA
> > > chain, upload should succeed */
> > >         runUploadSslCertWithCAChain();
> > >
> > >
> > >
> > >
> > > On 12-Nov-2013, at 11:35 AM, Koushik Das <koushik.das@citrix.com>
> wrote:
> > >
> > > > I see the JCE extensions in jdk 1.7 as well. They are present under
> > > <java_home>/jre/lib/security. But still I see a test failure. Is there
> any
> > > other configuration that is required?
> > > >
> > > > Running org.apache.cloudstack.network.lb.CertServiceTest
> > > > Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.456
> > > sec <<< FAILURE!
> > > >
> > > > -Koushik
> > > >
> > > > On 12-Nov-2013, at 11:19 AM, Prasanna Santhanam <tsp@apache.org>
> > > > wrote:
> > > >
> > > >> My MacOSX 1.6 jdk seems to have the crypto extensions jce builtin
> and
> > > >> the build+test works. JDK 1.7 install does not have them though.
> > > >>
> > > >> The JCE kit seems to carry a BCL which is not ASF friendly [1]. But
> > > >> this being part of the Java install and not the project it should
be
> > > >> okay IMO if we note it in our wiki on building the project.
> > > >>
> > > >> As for legal aspects - I found this which might be of some
> relevance.
> > > >> http://markmail.org/message/evtkc656gewrkruf
> > > >>
> > > >> [1] http://www.apache.org/legal/3party.html#transition-examples
> > > >>
> > > >> On Mon, Nov 11, 2013 at 10:45:12PM +0100, Laszlo Hornyak wrote:
> > > >>> Hi,
> > > >>>
> > > >>> That is a good question, I do not know for sure, but this package
> > > needs to
> > > >>> be signed by oracle, it is not redistributable and has teritorial
> > > import
> > > >>> restrictions, so it could be problematic :-( I hope it is not.
> Guys,
> > > can
> > > >>> someone help us here?
> > > >>>
> > > >>>
> > > >>> On Mon, Nov 11, 2013 at 10:21 PM, Syed Ahmed <sahmed@cloudops.com>
> > > wrote:
> > > >>>
> > > >>>> Hi Laszlo,
> > > >>>>
> > > >>>> The CertService uses BouncyCastle for certificate parsing
and
> > > validation.
> > > >>>> The JCE extension provides the API for using BouncyCastle
as the
> > > provider.
> > > >>>> So, JCE is required. I know that BouncyCastle is added in
CS.
> Would
> > > it be
> > > >>>> possible to add JCE as a dependency too?
> > > >>>>
> > > >>>> Thanks,
> > > >>>> -Syed
> > > >>>>
> > > >>>>
> > > >>>> On 13-11-10 09:55 AM, Laszlo Hornyak wrote:
> > > >>>>
> > > >>>>> Hi Sahmed and list,
> > > >>>>>
> > > >>>>> I ran into some failing tests this weekend related to
the patch
> > > >>>>> 0076307863e9155273d9e4c14282de429388c9e9 apparently jenkins
> fails for
> > > >>>>> the same reason. I did a short investigation and it turned
out
> that
> > > in
> > > >>>>> order to run the tests correctly, one has to download
the sun jce
> > > policy
> > > >>>>> files and put it in the jdk replacing the original policies.
> > > >>>>>
> > > >>>>> Questions:
> > > >>>>> - Is there a more convenient deployment process? :-) It
would be
> very
> > > >>>>> useful for the jenkins environment as well.
> > > >>>>> - I gave it a try and patched the oracle jdk 1.7 with
the same
> > > plugin, it
> > > >>>>> did not work. Do you know a way to make it work again
with jdk
> 1.7?
> > > >>>>>
> > > >>>>> Thank you,
> > > >>>>> Laszlo
> > > >>>>>
> > > >>>>> --
> > > >>>>>
> > > >>>>> EOF
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>>
> > > >>> EOF
> > > >>
> > > >> --
> > > >> Prasanna.,
> > > >>
> > > >> ------------------------
> > > >> Powered by BigRock.com
> > > >>
> > > >
> > >
> > >
> >
> >
> > --
> >
> > EOF
>



-- 

EOF

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message