From dev-return-80505-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Sat Apr 27 15:33:56 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7CA7B180630 for ; Sat, 27 Apr 2019 17:33:56 +0200 (CEST) Received: (qmail 63093 invoked by uid 500); 27 Apr 2019 15:33:55 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 63082 invoked by uid 99); 27 Apr 2019 15:33:55 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Apr 2019 15:33:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 1A73E180A0A for ; Sat, 27 Apr 2019 15:33:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.972 X-Spam-Level: X-Spam-Status: No, score=0.972 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.972] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 29Y_Nl2bAk8V for ; Sat, 27 Apr 2019 15:33:53 +0000 (UTC) Received: from mail.foltnet.hu (mail.foltnet.hu [185.161.74.172]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 6E3A05FB5E for ; Sat, 27 Apr 2019 15:33:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.foltnet.hu (Postfix) with ESMTP id 3453417FFD8 for ; Sat, 27 Apr 2019 17:33:46 +0200 (CEST) X-Amavis-Scanner: FOLTnet VirusScanner found it clean Received: from mail.foltnet.hu ([127.0.0.1]) by localhost (mail.foltnet.hu [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 5HTmTvjR0krO for ; Sat, 27 Apr 2019 17:33:43 +0200 (CEST) Received: from [192.168.1.28] (BC24C73A.dsl.pool.telekom.hu [188.36.199.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.foltnet.hu (Postfix) with ESMTPSA id 6F2A117FE87 for ; Sat, 27 Apr 2019 17:33:43 +0200 (CEST) From: Andor Molnar Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Subject: Re: Crypto Policy (was: Re: [VOTE] Apache ZooKeeper release 3.5.5 candidate 5) Date: Sat, 27 Apr 2019 17:33:42 +0200 References: <6C53CD6A-E7E6-42F1-91C7-D16517381F75@apache.org> To: DevZooKeeper In-Reply-To: <6C53CD6A-E7E6-42F1-91C7-D16517381F75@apache.org> Message-Id: <2F761131-C8CC-4C4D-A8F3-B97C369982E7@apache.org> X-Mailer: Apple Mail (2.3445.104.8) Good catch, thanks Flavio for reporting this. We need to double check = the tests with Ilya I believe. Having tests failure means that you were actually able to _build_ = ZooKeeper successfully without changing the crypto policy setting. Have = you tried to start an ensemble with Quorum TLS by any chance? That would = add some more color to this issue. This might be just a testing issue. Regards, Andor > On 2019. Apr 27., at 16:09, Flavio Junqueira wrote: >=20 > Hi Enrico, >=20 > Here is the info you are requesting: >=20 > *Java version* >=20 > $ java -version > java version "1.8.0_152" > Java(TM) SE Runtime Environment (build 1.8.0_152-b16) > Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode) >=20 > *Test case errors* >=20 > I won=E2=80=99t post all of them, I get a good number of errors: >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D > [ERROR] Tests run: 64, Failures: 0, Errors: 16, Skipped: 0, Time = elapsed: 9.21 s <<< FAILURE! - in = org.apache.zookeeper.util.PemReaderTest > [ERROR] = testLoadCertificateFromKeyStore[1](org.apache.zookeeper.util.PemReaderTest= ) Time elapsed: 1.593 s <<< ERROR! > java.io.IOException: = org.bouncycastle.operator.OperatorCreationException: Illegal key size or = default parameters > at = org.apache.zookeeper.util.PemReaderTest.testLoadCertificateFromKeyStore(Pe= mReaderTest.java:125) > Caused by: org.bouncycastle.operator.OperatorCreationException: = Illegal key size or default parameters > at = org.apache.zookeeper.util.PemReaderTest.testLoadCertificateFromKeyStore(Pe= mReaderTest.java:125) > Caused by: java.security.InvalidKeyException: Illegal key size or = default parameters > at = org.apache.zookeeper.util.PemReaderTest.testLoadCertificateFromKeyStore(Pe= mReaderTest.java:125) >=20 > [ERROR] = testLoadEncryptedPrivateKeyFromKeyStoreWithWrongPassword[1](org.apache.zoo= keeper.util.PemReaderTest) Time elapsed: 0.004 s <<< ERROR! > java.lang.Exception: Unexpected exception, = expected but = was > at = org.apache.zookeeper.util.PemReaderTest.testLoadEncryptedPrivateKeyFromKey= StoreWithWrongPassword(PemReaderTest.java:93) > Caused by: org.bouncycastle.operator.OperatorCreationException: = Illegal key size or default parameters > at = org.apache.zookeeper.util.PemReaderTest.testLoadEncryptedPrivateKeyFromKey= StoreWithWrongPassword(PemReaderTest.java:93) > Caused by: java.security.InvalidKeyException: Illegal key size or = default parameters > at = org.apache.zookeeper.util.PemReaderTest.testLoadEncryptedPrivateKeyFromKey= StoreWithWrongPassword(PemReaderTest.java:93) > ... > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D >=20 >=20 > *Crypto policy* > If I uncomment this configuration option: >=20 > # Please see the JCA documentation for additional information on = these > # files and formats. > # crypto.policy=3Dunlimited >=20 > in: >=20 > $JAVA_HOME/jre/lib/security/java.security >=20 > then it all works and I get no error at all. This option controls = cryptographic strengths according to the documentation, and is present = because of crypto regulations in different countries. >=20 > Thanks, > -Flavio >=20 >> On 27 Apr 2019, at 15:52, Enrico Olivelli = wrote: >>=20 >> Il sab 27 apr 2019, 14:18 Flavio Junqueira ha = scritto: >>=20 >>> I have a clarification question about the RC. To build the RC, I had = to >>> enable crypto.policy unlimited in the jre (I'm using build = 1.8.0_152-b16). >>=20 >>=20 >> Flavio >> What do you mean with 'build' ? >> Make tests pass? >> AFAIK we are not using tweaked jdks in CI builds, so in theory there = is no >> need. >>=20 >> Can you please share your error? >>=20 >> Enrico >>=20 >>=20 >> I'm wondering if this is going to be an issue for some users as this = option >>> is related to import/export regulation. Has anyone looked into it = and could >>> clarify it to me, please? >>>=20 >>> Thanks, >>> -Flavio >>>=20 >>>=20 >>>> On 25 Apr 2019, at 15:10, Andor Molnar wrote: >>>>=20 >>>> This is the first stable release of 3.5 branch: 3.5.5. It resolves = 117 >>> issues, including Maven migration, Quorum TLS, TTL nodes and lots of = other >>> performance and stability improvements. >>>>=20 >>>> The full release notes is available at: >>>>=20 >>>>=20 >>> = https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=3D1231080= 1&version=3D12343268 >>>>=20 >>>> *** Please download, test and vote by May 3rd 2019, 23:59 UTC+0. = *** >>>>=20 >>>> Source files: >>>> = https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.5.5-rc5/ >>>>=20 >>>> Maven staging repos: >>>>=20 >>> = https://repository.apache.org/content/groups/staging/org/apache/zookeeper/= parent/3.5.5/ >>>>=20 >>> = https://repository.apache.org/content/groups/staging/org/apache/zookeeper/= zookeeper-jute/3.5.5/ >>>>=20 >>> = https://repository.apache.org/content/groups/staging/org/apache/zookeeper/= zookeeper/3.5.5/ >>>>=20 >>>> The release candidate tag in git to be voted upon: = release-3.5.5-rc5 >>>>=20 >>>> ZooKeeper's KEYS file containing PGP keys we use to sign the = release: >>>> http://www.apache.org/dist/zookeeper/KEYS >>>>=20 >>>> Should we release this candidate? >>>>=20 >>>=20 >>>=20 >=20