tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SSL Unit Tests Failing
Date Tue, 02 Oct 2018 14:25:10 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Igal,

On 10/2/18 01:58, Igal Sapir wrote:
> When trying to run the unit test cases with `ant clean test` on the
> current trunk [1] I am getting two (per connector) failures:
> 
> org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2]
> 
> org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurat
ionParser
>
> 
FAILED [3]
> 
> Server version: Apache Tomcat/9.0.13-dev Server built:   Oct 2 2018
> 05:24:55 UTC Server number:  9.0.13.0 OS Name:        Linux OS
> Version:     4.18.9-200.fc28.x86_64 Architecture:   amd64 JVM
> Version:    1.8.0_181-b13 JVM Vendor:     Oracle Corporation
> 
> Am I missing something?  Other than the obvious "missing ciphers",
> that is.

AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL
versions in order to have this test work, because it tests all cipher
suites that have been configured in the test-case(s).

Some of those are the super-new ones that might not be supported by
your local version of OpenSSL.

Some of them may be cipher-suites that have been compiled-out of
OpenSSL in recent builds. You may want to take a look at the list of
cipher suites that are failing and then ask openssl if they are
supported (e.g. "openssl ciphers 'ALL'".

The same is true for the "IBM cipher suites" which all have different
names for some reason. OpenSSL and JSSE already disagree about the
names of cipher suites, and IBM had to go their own way, too. If you
don't have an IBM JRE then you won't be able to test those suites.

Let's take an example from OpenSSL where your tests are failing:

> Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED 
> ECDHE-ARIA128-GCM-SHA256+TLSv1.2
> DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 
> DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2
ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2
> ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2 
> DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2
> RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 
> ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 
> DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2
> RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 
> DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 
> DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 
> expected:<0> but was:<16>

Without looking at the code, I suspect that the test was intended to
select certain ciphers with some attribute. The test case expects zero
cipher suites to be available, but your environment provides 16
matching cipher suites.

If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep
ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output:

> ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH
> Au=RSA  Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384
> TLSv1.2 Kx=DH       Au=DSS  Enc=ARIAGCM(256) Mac=AEAD 
> DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
> Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2
> Kx=ECDH     Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD 
> ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
> Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH
> Au=DSS  Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256
> TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD 
> RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA
> Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2
> Kx=DHEPSK   Au=PSK  Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384
> TLSv1.2 Kx=RSA      Au=RSA  Enc=ARIAGCM(256) Mac=AEAD 
> PSK-ARIA256-GCM-SHA384  TLSv1.2 Kx=PSK      Au=PSK
> Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2
> Kx=RSAPSK   Au=RSA  Enc=ARIAGCM(128) Mac=AEAD 
> DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK
> Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256      TLSv1.2 Kx=RSA
> Au=RSA  Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256  TLSv1.2
> Kx=PSK      Au=PSK  Enc=ARIAGCM(128) Mac=AEAD

There are 16 items in that list. Perhaps you are using the latest
OpenSSL but the test isn't prepared for them.

I think it's "okay" that this test is failing for you, but it's
probably worth looking into why it's happening and trying to alter the
test to cope with that situation.

Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not
have caught-up with what's in there, yet.

But this is weird:

> Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but
> got 0 for the specification 'ARIA128' expected:

Above, you have ARIA ciphers available, but in this test, they weren't
found. That could represent a bug in the test. Time to dive into the
cipher suite cross-match detection code, Igal! ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzf8UACgkQHPApP6U8
pFgufBAArz30zwvz5vfyQyY8bmrUCfcWgRKQjJeMeqEWfdVLvgJ4r5cRUNd9Y3rf
Tl/lsggDZ0Y0XdDHX2ZZs8mNtaclVr+jEZ6EAH/JXxB7sSDqDJWLqoOTmezGK/KF
JVnghxNZa+x2ggzesa8VRAIsUW12EUdlbIrJRFA4Q5S2An+GBTF089ZHN1fIV3eV
NmOFasfc/uuCbNVL3rY/3VcML5IBu7lpwmA02FfttelsmvnQKIrt+XugLyTVO4d/
vJDaO3hxuKoQkFkC7tVFkAIjK96Q17K74CLATiAmr/+ywy49jfYNfP7dr6ZzhBvF
0P8W8m/tTKMtoTuOPpslg7QR8lRdKqEExqjUTrhfvAJZVf8z0LriBJ7OledghtBO
5L5u3uelX6mZshWIKg0kFV3zcZ8A4ptMkMhLRc7/US5djKyNWV5lyZ1q96IBrkDQ
bUW0JSkYUmcPc6w0wJuGZ2zjaPLJE8oWnnnhziM5SihsZIXh5PaG48MCxgeVdzYB
yt6nShuWEoWqrgjXnWNdw7dW38m2CqpU7cv0H9Y4mu5HrBBMTvD0Gf/edtg9Lbns
O/HZFuKuZb6MDF+gdEFGeRsn6Z0ogvsRyHRV/qCzvoR9ICX6chnZdIek84GfTXWb
AarQyPITiKEk19PFgNG0VKEGI6UmNhBnjlLEWZvsaHhwImCryA0=
=Rtbb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message