tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igal Sapir <isa...@apache.org>
Subject Re: SSL Unit Tests Failing
Date Thu, 04 Oct 2018 21:21:16 GMT
On 10/3/2018 2:29 AM, Mark Thomas wrote:
> On 02/10/18 20:40, Igal Sapir wrote:
>>> On 02/10/18 06:58, Igal Sapir wrote:
>>>> When trying to run the unit test cases with `ant clean test` on the
>>>> current
>>>> trunk [1] I am getting two (per connector) failures:
>>>>
>>>>       org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>>>
>>>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser
>>>>
>>>> FAILED [3]
>>>>
>>>> <snip/>
>>> These tests are all particularly sensitive to the versions of OpenSSL,
>>> Java and the implementation of Java used.
>>>
>>> Generally, those tests are there to ensure that the code that translates
>>> between JSSE cipher definitions and OpenSSL definitions is correct.
>>>
>>> If you see a failure it may indicate that:
>>>
>>> - the test has a bug
>>>
>>> - you are running with an older version of OpenSSL that behaves
>>>     differently from the latest version (we try and keep pace with the
>>>     latest)
>>>
>>> - OpenSSL has changed behaviour and we need to update our translation
>>>     code to align with it (unusual)
>>>
>>> - OpenSSL has changed behaviour and we need to update our tests to align
>>>     with it (most frequent).
>> Thank you both for the detailed explanation.  I suspected that I should
>> had added the OpenSSL version to the OP.  On that Fedora machine I have
>> OpenSSL 1.1.0i-fips 14 Aug 2018
>>
>> I tried the same tests on a Windows 10 machine.  Below are some
>> discrepancies/peculiarities that I've noticed (I'd be happy to improve
>> the test cases if possible):
> I noticed some errors on Gump overnight so this morning I have build
> OpenSSL 1.0.2, 1.1.0, 1.1.1 and master locally and tested them against
> 8.5.x and 9.0.x. I found a couple of bugs:
>
> - The ARIA ciphers were not handled correctly so testing against OpenSSL
>    1.1.0 was always going to fail. This has been fixed.
>
> - 8.5.x was missing some code that ensured the OpenSSL libraries as well
>    as the binary was on the path. This meant 8.5.x tests were either
>    going to fail or use a locally installed OpenSSL version. This has
>    also been fixed.
>
>> On the Linux box I have OpenSSL installed and on the PATH.  On Windows I
>> used version OpenSSL 1.1.1  11 Sep 2018 and specified it via the
>> `test.openssl.path` property.  I checked the value of
>> `test.openssl.exists` and it showed the expected `true`.  Both Windows
>> and Fedora generated an output file for
>> test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java [1]. Both,
>> however, reported "Found OpenSSL version 0x0" which I find strange?
> That does seem odd. I suspect either the wrong OpenSSL version or no
> OpenSSL version was found.

Gump was also showing "version 0x0" [1].

System.load() [2] was throwing an error that an absolute path is 
expected, but that error was ignored at [3] so we didn't see it.  I 
added a warning to the log in r1842849 [4].

Igal

[1] 
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-test-nio/gump_file/TEST-org.apache.tomcat.util.net.openssl.TestOpenSSLConf.NIO.txt.html

[2] 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/Library.java?revision=1834660&view=markup&pathrev=1842849#l42

[3] 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?view=markup&pathrev=1842748#l91

[4] http://svn.apache.org/viewvc?rev=1842849&view=rev


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message