From dev-return-193659-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Tue Oct 2 16:25:13 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 792D0180638 for ; Tue, 2 Oct 2018 16:25:12 +0200 (CEST) Received: (qmail 40033 invoked by uid 500); 2 Oct 2018 14:25:11 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 40021 invoked by uid 99); 2 Oct 2018 14:25:11 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Oct 2018 14:25:11 +0000 Received: from Christophers-MacBook-Pro-2.local (pool-108-28-160-33.washdc.fios.verizon.net [108.28.160.33]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 87AE2E1C for ; Tue, 2 Oct 2018 14:25:10 +0000 (UTC) Subject: Re: SSL Unit Tests Failing To: dev@tomcat.apache.org References: From: Christopher Schultz Openpgp: preference=signencrypt Autocrypt: addr=chris@christopherschultz.net; prefer-encrypt=mutual; keydata= xsFNBE+pgz4BEADd7qAWgqXcNltlB3aow0UneRmNSVjHKgekgs0ZXxG9l50Athksr/3bL/yg bxFB00JcM9W+UxLhKHiMSyzfeBHn9l9wAlLFKs0S91KXTUnRwGFtvgstvGROoqPgTVREklnm yW/KpzOwqSrQ5xHcogaT+XWlXmRbtFypi52Z5HGWlFWWgwx0vKBWHmQayPtCif0v1RDxfdV9 zziodn0TnpfBQsEgf9TDAjkNT8f0ecwTnhSihTDm1W5HCK7Pm5DfUtree1Oh6Ncz2ljlUO0b 3Lai9pX48eZOj7WQXPefkcv2AoUvdELkQKw3klM5YNXbXPf1KAjky+q4DQ1ydD6LkK+9cI3S TeMesTlk/tytOsaN2NH2k87sEpcumbH0AcmPFEnIYUfm4KzWdKlYA6mbV3Pk3tHSuayyJovj h/7Y7BG9p2l7D60r49hzrTPG8VxNkSliNLcSjI3QjYpfhSlqmqXyVKzdzirK1HPr1xfJStig RpLP9nWarZjoXng9N0etGwtH/8roeDPYA8x9ba1KXy/1g/i+RLx2ms+rueCpnFZxU3GZNUSp RfpdUbwCN3Zm1w5Z6SI8X2aSnWWeYzU6HMsV+P4PROnFsgxDeOpyWhyEaaVLXQtOYwcHneHb n56vSG50TkAuHs5kk/3/YDPSsqjsUPOuhKgFMh3iqMTh5DMdSwARAQABzTJDaHJpc3RvcGhl ciBTY2h1bHR6IDxjaHJpc0BjaHJpc3RvcGhlcnNjaHVsdHoubmV0PsLBegQTAQgAJAIbLwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCT6mETgIZAQAKCRDzrVyUpn9wflkxD/9IsahRqHTV /hH5nuPqVO692cQqHvPtMPO6lDb4909VN5T1i+1hFr80P0KVDL6EI78lDBJ2TThWI0o5vFdm sRlei59wsgTvkKTph5QwwOWl7OyzUDX3WbKhkNQdGf4I+/g/1s2bHaRoG30ELdL7cwUPCPrW 0KQwBy7Rtr0WbdujKOw9b/UcgyXEOE1wNcorq/E1o5/6BRYIcFQOO4sjHjGcChOpSg5ms4zb s+Xv3gOtLrbmOPRTXdvBxwJA6kkfQFHvI42kXYghTdqhBVPnHYPqUeavRsb+Yz3ghkZhj35i GfaGyXNwFBikCYjzIaj44NOkT1pU50MgIbjSJ+xoHnC20T942kekqp6wzqUM19Pa9ohsEdA1 Sf6/A7RmpZRrxSIY02ZVnGccnVjglnylVcnxrNAZC3ebxCeZPQ09FBR0Uqlsrdt7A3hlEP2F aoMTSa+hYqfWBGB7uZhcJZIsZspxm8J0txeOzYNSFDl7mF134ShRsq6dpSugCdcdeSWKliBz q0U8sIabOFLMxM0hbwkn2RG4OaurJLWXQf+7IhA/J8TizjkbdxLmR2PiTiVtrx484mpWpbF8 po/em0q/reFnL+JtOM6qlJE/Q4B6PfkchhU5vKPfmGw98t9guyw5G8YSR1rR+SOowHg4T/i2 Rezz1idKmoFpPdNFRPlOAC+d687BTQRPqYM+ARAAzEItVpzvcgZB+faUWi54lJoA8GnVxXEe OQY+7wk/P5i9GtL0UVXC53j2F87BDVXGalKgVjEVdNY3Cyx+dJ2os65gjxd6ZK18zc6N7YZB Z00XNU9nTz5XImZzHn4VmeXYMQrKO/981nCNPlV6CVdgGg9wl1Ij5Sh8SSTb8kWSo1ngx+XX 4yJNUbfSh32yMPVGI7ZcoZLm9gdgTOOnuEkeeGs/lPvYN+1Cv/YtvkPybSOSWSdHxIVU4Iko 6V7IkM1amjdwKfoeg+CLhZsbY7VLAzVtGvaF5z4rtJtCfTfhbYD0wS8afEBcvsew1HdtYDT5 AJqojeZBGDuY7JCgALc3HCy34Zzk+mi1qwvrm5i/CBMuIvjxB2MkzhHQNUD20fzdRcoIgw4J IzbqZLlOpVFehDXzKT/h5vh+Uv7s6Rz5gP5i0Rkcghw00mRBvuN8mpQnLt4hYL22cNh/tk0L Fxda7ZaPehu7ug4E5FEB0Ifm1KV18P7Kpfu8tiSLz7rl++x73o4uv4bk1ZnjO/jFsx0KLGwq VxR276ZIwsV4WpLYvJ5fR0kqqd/TOKXGSEA0eGxWTeb/fNtkYemRVoasB1+rqjh/Rz0p20o8 elkqDhpzzhrMNzEMYkLySu7npWCeWW4Nd6097+OG9BCLO+ndGmAcupdu6WMEj2UlWsQxuCYC PgsAEQEAAcLDfgQYAQgACQUCT6mDPgIbLgIpCRDzrVyUpn9wfsFdIAQZAQgABgUCT6mDPgAK CRAc8Ck/pTykWO6WD/0XlAG4D4GwzzuOfh7DG6cm/I0vmASEJkY5ghStW4GUbYosgS/btyj/ YPWzVh4HWMvuA6YYKCuz/CM3h34dR25XmHqUdOyJOCnMJ3psdv5YsytgnEdvINZALlDdBX3G sfytgS0KnVjAc92LfJOxHAsZf4zE3SU28FMX7jCgeqO3YrvkHsZ8dzzgw3QYT0J3NcYfkflb DPBXBDGrvdUuea/w6F17pctdRdt7jE3JiLFq2F9ehXOSsIwecUlqVYiCRuxblD4cJ6gKMn0y 8zllW4GyIbf/+mNLkpKoMPYnptDvcEojluHtwbkSfF5AwgJbm6pfs9a2vpGBVko+dBXGh4/T 3qNYxeGEAsI0psEJu3EZN9dYv/ZOb69DUJ6SwEKp/L7lU7C8HoLx/MpKtuJO9OS5uuAhdBSi GqfaN9zP2NxPXSwnexVK2exy/h5sUevDsnBEHmyxe5GRSrIilyijLtlYhq2W7G95poxIFZuL Db98R+7VR9Yl9uOZ6kRBJmzp9X2oB8MDHoKe4QEuiRx/5/DNxB8i2QoTWN/BfluTSfVpO5rf jSXlaUuFOnouBrWdmbaBdg+47m4IGEz129Zdf+y+ISexQ6P16ZY1oYxYlbQSaEwk0+TJ4B0C uvMHwPF3SDH2LeRx+mK2OvwnVulvj2+WdW/rIVgwhwbKmBLj40R+Uq4zD/4iRxJ5PF1ynjxR po3Izp/ZrYWrPgtBg0jUZ8DdlAiRHCFGPpccK8RvBWXmtzF4XQsV39aPBqcE3W6IcTnIMrDi 6mnqealpfiUq+4RGNfRFN9wtgViZLy/FRWi76k+vo/Jmp7/K9JblGX48D2JL9FX0w5PXkpE4 abmY1OASQUiwoJ4n1asxwEonSaWeYbI7X5IqdvevGyfYdSn4VEywdrYGtWjsWlZ/DPofPwsI bQXGY6o+wg9lDAk2L2nVTa05XuyOooUPwKLD0WrLOIxLmcbVv/tgJG03/uI4iDitSofTKnpz E+xdpfFIyw1Mb8PO4WJi0gpHmmLUbG8AMLS+8wSDFwIA4TXQFy9suXXzLuuzML+G5h9Mo5D6 q5HsIe59lhdwk7oEPZJ1NWLfLavTENQg5ObS2YT1KaFskFxxgtcU0aBytAxTjkgGRB8UunXl NJeCuTIAUxXw41P93V4Khigc5dEOG1kEDoq0dAlAE7AbL6Vzc/Go+UwivtUil3sXADOyM9PT JjLNnye+2V0ywQncJ1AG6sxICpPKzv8oYP6xwurEuKnF8DAWEHEwT+Fb277Idv1v8uMGvltp coe7olE0O+TRUtMEwtEp4g4m8ym1rJI/yfwXtHkS8QcVBA9LRqcWEna1VPlT1pk3BSq/1xQa F/4OLScBfV2JbF93sN0SLw== Message-ID: <9407ad5a-7501-e24f-76e3-ec46d163295a@christopherschultz.net> Date: Tue, 2 Oct 2018 10:25:10 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Igal, On 10/2/18 01:58, Igal Sapir wrote: > When trying to run the unit test cases with `ant clean test` on the > current trunk [1] I am getting two (per connector) failures: > > org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2] > > org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurat ionParser > > FAILED [3] > > Server version: Apache Tomcat/9.0.13-dev Server built: Oct 2 2018 > 05:24:55 UTC Server number: 9.0.13.0 OS Name: Linux OS > Version: 4.18.9-200.fc28.x86_64 Architecture: amd64 JVM > Version: 1.8.0_181-b13 JVM Vendor: Oracle Corporation > > Am I missing something? Other than the obvious "missing ciphers", > that is. AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL versions in order to have this test work, because it tests all cipher suites that have been configured in the test-case(s). Some of those are the super-new ones that might not be supported by your local version of OpenSSL. Some of them may be cipher-suites that have been compiled-out of OpenSSL in recent builds. You may want to take a look at the list of cipher suites that are failing and then ask openssl if they are supported (e.g. "openssl ciphers 'ALL'". The same is true for the "IBM cipher suites" which all have different names for some reason. OpenSSL and JSSE already disagree about the names of cipher suites, and IBM had to go their own way, too. If you don't have an IBM JRE then you won't be able to test those suites. Let's take an example from OpenSSL where your tests are failing: > Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED > ECDHE-ARIA128-GCM-SHA256+TLSv1.2 > DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 > ARIA256-GCM-SHA384+TLSv1.2 ECDHE-ARIA256-GCM-SHA384+TLSv1.2 > DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 > RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 > DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 > RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 > DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 > expected:<0> but was:<16> Without looking at the code, I suspect that the test was intended to select certain ciphers with some attribute. The test case expects zero cipher suites to be available, but your environment provides 16 matching cipher suites. If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output: > ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH > Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384 > TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD > DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA > Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 > Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD > ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA > Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH > Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256 > TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD > RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA > Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 > Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384 > TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD > PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK > Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 > Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD > DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK > Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA > Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2 > Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD There are 16 items in that list. Perhaps you are using the latest OpenSSL but the test isn't prepared for them. I think it's "okay" that this test is failing for you, but it's probably worth looking into why it's happening and trying to alter the test to cope with that situation. Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not have caught-up with what's in there, yet. But this is weird: > Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but > got 0 for the specification 'ARIA128' expected: Above, you have ARIA ciphers available, but in this test, they weren't found. That could represent a bug in the test. Time to dive into the cipher suite cross-match detection code, Igal! ;) - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzf8UACgkQHPApP6U8 pFgufBAArz30zwvz5vfyQyY8bmrUCfcWgRKQjJeMeqEWfdVLvgJ4r5cRUNd9Y3rf Tl/lsggDZ0Y0XdDHX2ZZs8mNtaclVr+jEZ6EAH/JXxB7sSDqDJWLqoOTmezGK/KF JVnghxNZa+x2ggzesa8VRAIsUW12EUdlbIrJRFA4Q5S2An+GBTF089ZHN1fIV3eV NmOFasfc/uuCbNVL3rY/3VcML5IBu7lpwmA02FfttelsmvnQKIrt+XugLyTVO4d/ vJDaO3hxuKoQkFkC7tVFkAIjK96Q17K74CLATiAmr/+ywy49jfYNfP7dr6ZzhBvF 0P8W8m/tTKMtoTuOPpslg7QR8lRdKqEExqjUTrhfvAJZVf8z0LriBJ7OledghtBO 5L5u3uelX6mZshWIKg0kFV3zcZ8A4ptMkMhLRc7/US5djKyNWV5lyZ1q96IBrkDQ bUW0JSkYUmcPc6w0wJuGZ2zjaPLJE8oWnnnhziM5SihsZIXh5PaG48MCxgeVdzYB yt6nShuWEoWqrgjXnWNdw7dW38m2CqpU7cv0H9Y4mu5HrBBMTvD0Gf/edtg9Lbns O/HZFuKuZb6MDF+gdEFGeRsn6Z0ogvsRyHRV/qCzvoR9ICX6chnZdIek84GfTXWb AarQyPITiKEk19PFgNG0VKEGI6UmNhBnjlLEWZvsaHhwImCryA0= =Rtbb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org