tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igal Sapir <isa...@apache.org>
Subject Re: SSL Unit Tests Failing
Date Tue, 02 Oct 2018 19:40:03 GMT
Chris,

On 10/2/2018 7:25 AM, Christopher Schultz wrote:
> On 10/2/18 01:58, Igal Sapir wrote:
>> When trying to run the unit test cases with `ant clean test` on the
>> current trunk [1] I am getting two (per connector) failures:
>>
>> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
>>
>> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser FAILED
[3]
>>
>> Server version: Apache Tomcat/9.0.13-dev Server built:   Oct 2 2018
>> 05:24:55 UTC Server number:  9.0.13.0 OS Name:        Linux OS
>> Version:     4.18.9-200.fc28.x86_64 Architecture:   amd64 JVM
>> Version:    1.8.0_181-b13 JVM Vendor:     Oracle Corporation
>>
>> Am I missing something?  Other than the obvious "missing ciphers",
>> that is.
> AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL
> versions in order to have this test work, because it tests all cipher
> suites that have been configured in the test-case(s).
>
> Some of those are the super-new ones that might not be supported by
> your local version of OpenSSL.
>
> Some of them may be cipher-suites that have been compiled-out of
> OpenSSL in recent builds. You may want to take a look at the list of
> cipher suites that are failing and then ask openssl if they are
> supported (e.g. "openssl ciphers 'ALL'".
>
> The same is true for the "IBM cipher suites" which all have different
> names for some reason. OpenSSL and JSSE already disagree about the
> names of cipher suites, and IBM had to go their own way, too. If you
> don't have an IBM JRE then you won't be able to test those suites.
>
> Let's take an example from OpenSSL where your tests are failing:
>
>> Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED
>> ECDHE-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
> ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
>> ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2
>> DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
>> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2
>> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2
>> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
>> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2
>> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2
>> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2
>> expected:<0> but was:<16>
> Without looking at the code, I suspect that the test was intended to
> select certain ciphers with some attribute. The test case expects zero
> cipher suites to be available, but your environment provides 16
> matching cipher suites.
>
> If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep
> ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output:
>
>> ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
>> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH
>> Au=RSA  Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384
>> TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD
>> DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
>> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2
>> Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD
>> ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
>> Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH
>> Au=DSS  Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256
>> TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
>> RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA
>> Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2
>> Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384
>> TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
>> PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK
>> Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2
>> Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
>> DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK
>> Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA
>> Au=RSA  Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256  TLSv1.2
>> Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD
> There are 16 items in that list. Perhaps you are using the latest
> OpenSSL but the test isn't prepared for them.
>
> I think it's "okay" that this test is failing for you, but it's
> probably worth looking into why it's happening and trying to alter the
> test to cope with that situation.
>
> Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not
> have caught-up with what's in there, yet.
>
> But this is weird:
>
>> Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but
>> got 0 for the specification 'ARIA128' expected:
> Above, you have ARIA ciphers available, but in this test, they weren't
> found. That could represent a bug in the test. Time to dive into the
> cipher suite cross-match detection code, Igal! ;)

Thank you for the detailed explanation.

I will look into it and will post more information if I find anything 
useful.

Igal


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message