First impressions from OpenSSL 3.0.0 and httpd 2.4.45

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

First impressions from OpenSSL 3.0.0 and httpd 2.4.45

Rainer Jung-3
Hi there,

during release testing for 2.4.45 I also built and tested using OpenSSL
3.0.0alpha5 on the server. Overall first results are pretty good:

- a few deprecation warnings during compilation:

modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:617:9: warning: 'ENGINE_get_first' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:620:42: warning: 'ENGINE_get_name' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_config.c:623:13: warning: 'ENGINE_get_next' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:471:9: warning: 'ENGINE_set_default' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_log.c:90:5: warning: 'ERR_peek_error_line_data'
is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:877:9: warning:
'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:886:9: warning: 'ENGINE_ctrl_cmd' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:896:5: warning:
'ENGINE_load_private_key' is deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish' is
deprecated [-Wdeprecated-declarations]
modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free' is
deprecated [-Wdeprecated-declarations]

- a few const warnings

modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing argument 2 of
'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]

and unit tests show two problems, one will be fixed in OpenSSL itself:

- during unit test preparation, our test script create a PKCS12 store
with default encoding params. That's known to be broken in alpha5. So
the "-configure" step of "t/TEST" should be run before the actual
testing with a stable version of OpenSSL.
https://github.com/openssl/openssl/pull/12540
https://github.com/openssl/openssl/issues/11672

- independent of OpenSSL 3.0.0: to work around the previous observation
I tried using the env var "APACHE_TEST_OPENSSL_CMD". Unfortunately this
is slightly broken, because it tests for the existence using the "which"
function in TestConfig.pm and that function is broken when used for a
command containing a path component. I temporarily fixed it using:

@@ -1782,6 +1782,11 @@

      return undef unless $program;

+    # No need to search PATH components
+    # if $program already contains a path
+    return $program if !OSX and !WINFU and
+        $program =~ /\// and -f $program and -x $program;
+
      my @dirs = File::Spec->path();

      require Config;


- when testing with client >= OpenSSL 1.1.0 against 3.0.0alpha5, only
t/ssl/proxy.t shows failures, especially in eat_post but already during
TLS handshake:

[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
AH01964: Connection to child 82 established (server localhost:8532)

[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH02276: Certificate Verification: Error (3): unable to get certificate
CRL [subject:
emailAddress=[hidden email],CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
Francisco,ST=California,C=US / issuer:
emailAddress=[hidden email],CN=ca,OU=httpd-test,O=ASF,L=San
Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05
2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]

[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
AH02008: SSL library error 1 in handshake (server localhost:8532)

[ssl:info] [pid 9162:tid 140326149928720] SSL Library Error:
error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert number 48)

[ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
AH01998: Connection closed to child 82 with abortive shutdown (server
localhost:8532)

[example_hooks:notice] [pid 9162:tid 140326149928720] x_create_request()
[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH02003: SSL Proxy connect failed

[ssl:info] [pid 9162:tid 140326166714128] SSL Library Error:
error:0A000086:SSL routines::certificate verify failed

[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH01998: Connection closed to child 0 with abortive shutdown (server
localhost:8563)

[ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
AH01997: SSL handshake failed: sending 502

[proxy:error] [pid 9162:tid 140326166714128] (20014)Internal error
(specific information not available): [client 127.0.0.1:49283] AH01084:
pass request body failed to [::1]:8532 (localhost)

[proxy:error] [pid 9162:tid 140326166714128] [client 127.0.0.1:49283]
AH00898: Error during SSL Handshake with remote server returned by /eat_post

[proxy_http:error] [pid 9162:tid 140326166714128] [client
127.0.0.1:49283] AH01097: pass request body failed to [::1]:8532
(localhost) from 127.0.0.1 ()


- when testing with OpenSSL 0.9.8zh as a client, mostly all TLS tests
fail. I guess, one would have to load the legacy provider for the server
side OpenSSL to allow handshakes with the old version of TLS supported
by 0.9.8. I have not verified this yet.


Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: First impressions from OpenSSL 3.0.0 and httpd 2.4.45

Rainer Jung-3
Sorry, wrong dev list.

Am 01.08.2020 um 12:07 schrieb Rainer Jung:

> Hi there,
>
> during release testing for 2.4.45 I also built and tested using OpenSSL
> 3.0.0alpha5 on the server. Overall first results are pretty good:
>
> - a few deprecation warnings during compilation:
>
> modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_config.c:617:9: warning: 'ENGINE_get_first' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_config.c:620:42: warning: 'ENGINE_get_name' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_config.c:623:13: warning: 'ENGINE_get_next' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_init.c:471:9: warning: 'ENGINE_set_default' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_log.c:90:5: warning: 'ERR_peek_error_line_data'
> is deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:877:9: warning:
> 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:886:9: warning: 'ENGINE_ctrl_cmd' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:896:5: warning:
> 'ENGINE_load_private_key' is deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish' is
> deprecated [-Wdeprecated-declarations]
> modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free' is
> deprecated [-Wdeprecated-declarations]
>
> - a few const warnings
>
> modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument 2 of
> 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
> [-Wdiscarded-qualifiers]
> modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument 2 of
> 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
> [-Wdiscarded-qualifiers]
> modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument 2 of
> 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
> [-Wdiscarded-qualifiers]
> modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing argument 2 of
> 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer target type
> [-Wdiscarded-qualifiers]
>
> and unit tests show two problems, one will be fixed in OpenSSL itself:
>
> - during unit test preparation, our test script create a PKCS12 store
> with default encoding params. That's known to be broken in alpha5. So
> the "-configure" step of "t/TEST" should be run before the actual
> testing with a stable version of OpenSSL.
> https://github.com/openssl/openssl/pull/12540
> https://github.com/openssl/openssl/issues/11672
>
> - independent of OpenSSL 3.0.0: to work around the previous observation
> I tried using the env var "APACHE_TEST_OPENSSL_CMD". Unfortunately this
> is slightly broken, because it tests for the existence using the "which"
> function in TestConfig.pm and that function is broken when used for a
> command containing a path component. I temporarily fixed it using:
>
> @@ -1782,6 +1782,11 @@
>
>       return undef unless $program;
>
> +    # No need to search PATH components
> +    # if $program already contains a path
> +    return $program if !OSX and !WINFU and
> +        $program =~ /\// and -f $program and -x $program;
> +
>       my @dirs = File::Spec->path();
>
>       require Config;
>
>
> - when testing with client >= OpenSSL 1.1.0 against 3.0.0alpha5, only
> t/ssl/proxy.t shows failures, especially in eat_post but already during
> TLS handshake:
>
> [ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
> AH01964: Connection to child 82 established (server localhost:8532)
>
> [ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
> AH02276: Certificate Verification: Error (3): unable to get certificate
> CRL [subject:
> emailAddress=[hidden email],CN=localhost,OU=httpd-test/rsa-test,O=ASF,L=San
> Francisco,ST=California,C=US / issuer:
> emailAddress=[hidden email],CN=ca,OU=httpd-test,O=ASF,L=San
> Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05
> 2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]
>
> [ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
> AH02008: SSL library error 1 in handshake (server localhost:8532)
>
> [ssl:info] [pid 9162:tid 140326149928720] SSL Library Error:
> error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert number 48)
>
> [ssl:info] [pid 9162:tid 140326149928720] [client 127.0.0.1:56312]
> AH01998: Connection closed to child 82 with abortive shutdown (server
> localhost:8532)
>
> [example_hooks:notice] [pid 9162:tid 140326149928720] x_create_request()
> [ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
> AH02003: SSL Proxy connect failed
>
> [ssl:info] [pid 9162:tid 140326166714128] SSL Library Error:
> error:0A000086:SSL routines::certificate verify failed
>
> [ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
> AH01998: Connection closed to child 0 with abortive shutdown (server
> localhost:8563)
>
> [ssl:info] [pid 9162:tid 140326166714128] [remote 127.0.0.1:8532]
> AH01997: SSL handshake failed: sending 502
>
> [proxy:error] [pid 9162:tid 140326166714128] (20014)Internal error
> (specific information not available): [client 127.0.0.1:49283] AH01084:
> pass request body failed to [::1]:8532 (localhost)
>
> [proxy:error] [pid 9162:tid 140326166714128] [client 127.0.0.1:49283]
> AH00898: Error during SSL Handshake with remote server returned by
> /eat_post
>
> [proxy_http:error] [pid 9162:tid 140326166714128] [client
> 127.0.0.1:49283] AH01097: pass request body failed to [::1]:8532
> (localhost) from 127.0.0.1 ()
>
>
> - when testing with OpenSSL 0.9.8zh as a client, mostly all TLS tests
> fail. I guess, one would have to load the legacy provider for the server
> side OpenSSL to allow handshakes with the old version of TLS supported
> by 0.9.8. I have not verified this yet.
>
>
> Regards,
>
> Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: First impressions from OpenSSL 3.0.0 and httpd 2.4.45

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rainer,

On 8/1/20 11:44, Rainer Jung wrote:
> Sorry, wrong dev list.

I thought it was interesting anyway :)

How about libtcnative built against OpenSSL 3.0.0?

- -chris

> Am 01.08.2020 um 12:07 schrieb Rainer Jung:
>> Hi there,
>>
>> during release testing for 2.4.45 I also built and tested using
>> OpenSSL 3.0.0alpha5 on the server. Overall first results are
>> pretty good:
>>
>> - a few deprecation warnings during compilation:
>>
>> modules/ssl/ssl_engine_config.c:610:5: warning: 'ENGINE_by_id'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_config.c:612:9: warning: 'ENGINE_free' is
>> deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_config.c:617:9: warning:
>> 'ENGINE_get_first' is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_config.c:619:13: warning: 'ENGINE_get_id'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_config.c:620:42: warning:
>> 'ENGINE_get_name' is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_config.c:623:13: warning:
>> 'ENGINE_get_next' is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_init.c:457:9: warning: 'ENGINE_by_id' is
>> deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_init.c:467:13: warning: 'ENGINE_ctrl' is
>> deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_init.c:471:9: warning:
>> 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_init.c:482:9: warning: 'ENGINE_free' is
>> deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_kernel.c:2611:9: warning: 'HMAC_Init_ex'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_kernel.c:2632:9: warning: 'HMAC_Init_ex'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_log.c:90:5: warning:
>> 'ERR_peek_error_line_data' is deprecated
>> [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:856:5: warning: 'ENGINE_by_id'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:864:5: warning: 'ENGINE_init'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:877:9: warning:
>> 'ENGINE_ctrl_cmd_string' is deprecated
>> [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:886:9: warning:
>> 'ENGINE_ctrl_cmd' is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:896:5: warning:
>> 'ENGINE_load_private_key' is deprecated
>> [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:904:5: warning: 'ENGINE_finish'
>> is deprecated [-Wdeprecated-declarations]
>> modules/ssl/ssl_engine_pphrase.c:905:5: warning: 'ENGINE_free'
>> is deprecated [-Wdeprecated-declarations]
>>
>> - a few const warnings
>>
>> modules/ssl/ssl_engine_kernel.c:608:55: warning: passing argument
>> 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer
>> target type [-Wdiscarded-qualifiers]
>> modules/ssl/ssl_engine_kernel.c:627:61: warning: passing argument
>> 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer
>> target type [-Wdiscarded-qualifiers]
>> modules/ssl/ssl_engine_kernel.c:638:57: warning: passing argument
>> 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier from pointer
>> target type [-Wdiscarded-qualifiers]
>> modules/ssl/ssl_engine_kernel.c:1039:49: warning: passing
>> argument 2 of 'sk_SSL_CIPHER_find' discards 'const' qualifier
>> from pointer target type [-Wdiscarded-qualifiers]
>>
>> and unit tests show two problems, one will be fixed in OpenSSL
>> itself:
>>
>> - during unit test preparation, our test script create a PKCS12
>> store with default encoding params. That's known to be broken in
>> alpha5. So the "-configure" step of "t/TEST" should be run before
>> the actual testing with a stable version of OpenSSL.
>> https://github.com/openssl/openssl/pull/12540
>> https://github.com/openssl/openssl/issues/11672
>>
>> - independent of OpenSSL 3.0.0: to work around the previous
>> observation I tried using the env var "APACHE_TEST_OPENSSL_CMD".
>> Unfortunately this is slightly broken, because it tests for the
>> existence using the "which" function in TestConfig.pm and that
>> function is broken when used for a command containing a path
>> component. I temporarily fixed it using:
>>
>> @@ -1782,6 +1782,11 @@
>>
>> return undef unless $program;
>>
>> +    # No need to search PATH components +    # if $program
>> already contains a path +    return $program if !OSX and !WINFU
>> and +        $program =~ /\// and -f $program and -x $program; +
>> my @dirs = File::Spec->path();
>>
>> require Config;
>>
>>
>> - when testing with client >= OpenSSL 1.1.0 against 3.0.0alpha5,
>> only t/ssl/proxy.t shows failures, especially in eat_post but
>> already during TLS handshake:
>>
>> [ssl:info] [pid 9162:tid 140326149928720] [client
>> 127.0.0.1:56312] AH01964: Connection to child 82 established
>> (server localhost:8532)
>>
>> [ssl:info] [pid 9162:tid 140326166714128] [remote
>> 127.0.0.1:8532] AH02276: Certificate Verification: Error (3):
>> unable to get certificate CRL [subject:
>> emailAddress=[hidden email],CN=localhost,OU=httpd-test/rsa
- -test,O=ASF,L=San
>>
>>
Francisco,ST=California,C=US / issuer:
>> emailAddress=[hidden email],CN=ca,OU=httpd-test,O=ASF,L=Sa
n
>>
>>
Francisco,ST=California,C=US / serial: 0C / notbefore: Jul 30 23:29:05

>> 2020 GMT / notafter: Jul 30 23:29:05 2021 GMT]
>>
>> [ssl:info] [pid 9162:tid 140326149928720] [client
>> 127.0.0.1:56312] AH02008: SSL library error 1 in handshake
>> (server localhost:8532)
>>
>> [ssl:info] [pid 9162:tid 140326149928720] SSL Library Error:
>> error:0A000418:SSL routines::tlsv1 alert unknown ca (SSL alert
>> number 48)
>>
>> [ssl:info] [pid 9162:tid 140326149928720] [client
>> 127.0.0.1:56312] AH01998: Connection closed to child 82 with
>> abortive shutdown (server localhost:8532)
>>
>> [example_hooks:notice] [pid 9162:tid 140326149928720]
>> x_create_request() [ssl:info] [pid 9162:tid 140326166714128]
>> [remote 127.0.0.1:8532] AH02003: SSL Proxy connect failed
>>
>> [ssl:info] [pid 9162:tid 140326166714128] SSL Library Error:
>> error:0A000086:SSL routines::certificate verify failed
>>
>> [ssl:info] [pid 9162:tid 140326166714128] [remote
>> 127.0.0.1:8532] AH01998: Connection closed to child 0 with
>> abortive shutdown (server localhost:8563)
>>
>> [ssl:info] [pid 9162:tid 140326166714128] [remote
>> 127.0.0.1:8532] AH01997: SSL handshake failed: sending 502
>>
>> [proxy:error] [pid 9162:tid 140326166714128] (20014)Internal
>> error (specific information not available): [client
>> 127.0.0.1:49283] AH01084: pass request body failed to [::1]:8532
>> (localhost)
>>
>> [proxy:error] [pid 9162:tid 140326166714128] [client
>> 127.0.0.1:49283] AH00898: Error during SSL Handshake with remote
>> server returned by /eat_post
>>
>> [proxy_http:error] [pid 9162:tid 140326166714128] [client
>> 127.0.0.1:49283] AH01097: pass request body failed to [::1]:8532
>> (localhost) from 127.0.0.1 ()
>>
>>
>> - when testing with OpenSSL 0.9.8zh as a client, mostly all TLS
>> tests fail. I guess, one would have to load the legacy provider
>> for the server side OpenSSL to allow handshakes with the old
>> version of TLS supported by 0.9.8. I have not verified this yet.
>>
>>
>> Regards,
>>
>> Rainer
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8lonoACgkQHPApP6U8
pFhOuQ/9H9C5stAuwK+XFg/hzFw5vv/tw9EAoztZh5PJxLTfBQhhjKVA30jAGodQ
e0fkjxvbJ/CZM2kAc5LHy28WK7O2NNDeqdhKlmZ+fOcuXBvm7+pHbV18YsLs8cg6
ohUYMjRK7ekfe8RjkoYeq7PxIuks9P81EN3BRpNFr1X2HmfuFncnuAB0oe6qHCDy
rMwIxRzxypTbkcWRnSRge+jLN86RRpWfEg2Dc8XSIfEsH55i8SIRIejCCdZ9W5qz
18d5dP9Y1+Wa9+GiCFsst3/YZXTKXg0ICBVe50jUj+Qtp4wxdu3zwOSACGjNPI46
GPVKc8h/nMHYvSmjSVUfdJFm1tm8Y10Ah1wC6IyTONMdXu15aBMG72wd/0NU1h76
6qd2xil40mnD0i++LOilb8FRtZkzq7lJyohQdIWFFLhXUsfLCZWC0A19k02hEnai
KrHuj69F5AOlU+gQrTr1P7uv6rgxGYUO1xeqhQo6GcHiunIfLDrz4prYnfL7X8bl
X4sV67zH5tBbJizTkhj0TFFE2KBx8RaWmSdstk1Dpp5HaVZ6g0eBgwbydIvd6Wf2
JdhbqrbG7sjIANOPazhtPyK9TOEHcBobW+MFEu25GFGjH6Hg+llaY6FfVcSRCKDV
TD0bKItaFYmq8im6CEEA0SLGyulYvK10wqzvcpfNqXbTf0dkz6U=
=M/O3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

Rainer Jung-3
Hi Chris, hi all,

I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and compared
them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches. APR was always
1.7.0.

- build warnings for tcnative using OpenSSL 3.0.0alpha5:

src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:424:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:426:13: warning: 'ENGINE_free' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:809:13: warning: 'ENGINE_by_id' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:817:17: warning: 'ENGINE_set_default' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated
[-Wdeprecated-declarations]
src/ssl.c:422: warning: 'ENGINE_by_id' is deprecated (declared at
/path/to/include/openssl/engine.h:327)
src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared
at /path/to/include/openssl/engine.h:462)
src/ssl.c:425: warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared
at /path/to/include/openssl/engine.h:462)
src/ssl.c:426: warning: 'ENGINE_free' is deprecated (declared at
/path/to/include/openssl/engine.h:474)
src/ssl.c:806: warning: 'ENGINE_register_all_complete' is deprecated
(declared at /path/to/include/openssl/engine.h:407)
src/ssl.c:809: warning: 'ENGINE_by_id' is deprecated (declared at
/path/to/include/openssl/engine.h:327)
src/ssl.c:815: warning: 'ENGINE_ctrl' is deprecated (declared at
/path/to/include/openssl/engine.h:419)
src/ssl.c:817: warning: 'ENGINE_set_default' is deprecated (declared at
/path/to/include/openssl/engine.h:652)
src/ssl.c:822: warning: 'ENGINE_free' is deprecated (declared at
/path/to/include/openssl/engine.h:474)

- test results:

Only tested NIO and NIO2 connectors (couldn't easily do it for APR for
local reasons independent of OpenSSL).

The tests have been run on RedHat Enterprise Linux 8 using the following
JVMs:

- OpenJDK 1.8.0_262-b10
- OpenJDK 11.0.8+10
- OpenJDK 14.0.2+12-46
- OpenJDK 15-ea+31-1502
- Adopt OpenJDK 1.8.0_262-b10
- Adopt OpenJDK 11.0.8+10
- Adopt OpenJDK 14.0.2+12
- RedHat OpenJDK 1.8.0_201-b09
- RedHat OpenJDK 11.0.2+7-LTS
- Azul Zulu 1.8.0_262-b18
- Azul Zulu 11.0.8+10-LTS
- Azul 14.0.2+12

Alle tests succeeed with the follwoing exceptions. These do not differ
between OpenSSL 1.1.1g plus patches and 3.0.0alpha5:

- zulu  JDK 1.8.0

2 errors for NIO and NIO2 in org.apache.tomcat.util.net.TestClientCertTls13:

Testcase: testClientCertPost took 2.327 sec
         Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
         at sun.security.ssl.Alert.createSSLException(Alert.java:131)
         at sun.security.ssl.Alert.createSSLException(Alert.java:117)
         at
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
         at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
         at
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
         at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
         at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
         at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106)
         at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
         at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
         at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
         at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
         at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
         at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:789)
         at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:755)
         at
org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java:729)
         at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:61)

Testcase: testClientCertGet took 0.169 sec
         Caused an ERROR
Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
         at sun.security.ssl.Alert.createSSLException(Alert.java:131)
         at sun.security.ssl.Alert.createSSLException(Alert.java:117)
         at
sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
         at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
         at
sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
         at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
         at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
         at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1106)
         at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
         at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
         at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
         at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
         at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
         at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:691)
         at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:659)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:653)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:638)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:632)
         at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:45)


- RedHat JDK 1.8.0

8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat

Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 2.878 sec
         Caused an ERROR
DHPublicKey does not comply to algorithm constraints
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to
algorithm constraints
         at sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237)
         at
sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:774)
         at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:287)
         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
         at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
         at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
         at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
         at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
         at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
         at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
         at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
         at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
         at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:691)
         at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:659)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:653)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:638)
         at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:632)
         at
org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostConfigCompat.java:298)
         at
org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwithRSAClient(TestSSLHostConfigCompat.java:131)

and similar errors in

Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took 0.181 sec
Testcase: testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149 sec
Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took 0.394 sec
Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM] took 0.185 sec
Testcase: testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec
Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec


Furthermore the test with OpenSSL 1.1.1g plus patches showed one
isolated JVM crash under Zulu with JDK 11 in
org.apache.tomcat.util.net.TestSsl for NIO2:

     Executable: /usr/local/zulu_jdk11/bin/java
  Control Group: /
          Slice: -.slice
        Boot ID: 5b69924960db44f297aac21f912de346
     Machine ID: 11e20c69b48145c494c0005eb2e92d17
       Hostname: esb-rhel8-64
        Storage:
/var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de346.8157.1596423433000000.lz4
        Message: Process 8157 (java) of user 1200 dumped core.

                 Stack trace of thread 8162:
                 #0  0x00007f2a39bfe93f raise (libc.so.6)
                 #1  0x00007f2a39be8c95 abort (libc.so.6)
                 #2  0x00007f2a39c41d57 __libc_message (libc.so.6)
                 #3  0x00007f2a39c4868c malloc_printerr (libc.so.6)
                 #4  0x00007f2a39c4a188 _int_free (libc.so.6)
                 #5  0x00007f2a08b0d4f3 apr_allocator_destroy
(libapr-1.so.0)
                 #6  0x00007f2a08b0df60 apr_pool_terminate (libapr-1.so.0)
                 #7  0x00007f2a1be0f1f0 n/a (n/a)
                 #8  0x00007f2a1be00849 n/a (n/a)
                 #9  0x00007f2a38faab42
_ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgumentsP6Thread
(libjvm.so)
                 #10 0x00007f2a393b8de0
_ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9BasicTypeS5_bP6Thread
(libjvm.so)
                 #11 0x00007f2a393b9bc3
_ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Thread
(libjvm.so)
                 #12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so)
                 #13 0x00007f2a239792b0 n/a (n/a)
                 #14 0x00007f2a1c779a8c n/a (n/a)

I ran the test with 2 threads in parallel. It looks like a possible
thread safety issue (race condition) during shutdown. Seems not to be
strictly reproducible.

So far this means OpenSSL 3.0.0 looks good :)

Regards,

Rainer

Am 01.08.2020 um 19:12 schrieb Christopher Schultz:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Rainer,
>
> On 8/1/20 11:44, Rainer Jung wrote:
>> Sorry, wrong dev list.
>
> I thought it was interesting anyway :)
>
> How about libtcnative built against OpenSSL 3.0.0?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Rainer,

On 8/3/20 07:03, Rainer Jung wrote:
> Hi Chris, hi all,
>
> I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and
> compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches.
> APR was always 1.7.0.

Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which
patches are you applying?

> - build warnings for tcnative using OpenSSL 3.0.0alpha5:
>
> src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated
> [-Wdeprecated-declarations] src/ssl.c:424:9: warning:
> 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
> src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated
> [-Wdeprecated-declarations] src/ssl.c:426:13: warning:
> 'ENGINE_free' is deprecated [-Wdeprecated-declarations]
> src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is
> deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning:
> 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations]
> src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated
> [-Wdeprecated-declarations] src/ssl.c:817:17: warning:
> 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations]
> src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated
> [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id'
> is deprecated (declared at /path/to/include/openssl/engine.h:327)
> src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated
> (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425:
> warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at
> /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning:
> 'ENGINE_free' is deprecated (declared at
> /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning:
> 'ENGINE_register_all_complete' is deprecated (declared at
> /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning:
> 'ENGINE_by_id' is deprecated (declared at
> /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning:
> 'ENGINE_ctrl' is deprecated (declared at
> /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning:
> 'ENGINE_set_default' is deprecated (declared at
> /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning:
> 'ENGINE_free' is deprecated (declared at
> /path/to/include/openssl/engine.h:474)

I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any
indication of what replacement exists for this function. It seems that
a huge number of functions have been deprecated in 3.0.x with very
little explanation for how to update client code to be 3.0-compliant.

> - test results:
>
> Only tested NIO and NIO2 connectors (couldn't easily do it for APR
> for local reasons independent of OpenSSL).
>
> The tests have been run on RedHat Enterprise Linux 8 using the
> following JVMs:
>
> - OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46
> - OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt
> OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK
> 1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu
> 1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12
>
> Alle tests succeeed with the follwoing exceptions. These do not
> differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5:
>
> - zulu  JDK 1.8.0
>
> 2 errors for NIO and NIO2 in
> org.apache.tomcat.util.net.TestClientCertTls13:
>
> Testcase: testClientCertPost took 2.327 sec Caused an ERROR
> Received fatal alert: protocol_version
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> protocol_version at
> sun.security.ssl.Alert.createSSLException(Alert.java:131) at
> sun.security.ssl.Alert.createSSLException(Alert.java:117) at
> sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
> at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at
> sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
>
>
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
> at
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:
1106)
>
>
at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
>
>
at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
>
>
at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5
59)
>
>
at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
AbstractDelegateHttpsURLConnection.java:185)
>
>  at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn
ectionImpl.java:167)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java
:789)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java
:755)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java
:729)
>
>
at
> org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(Test
ClientCertTls13.java:61)


Interesting.


>
>
Testcase: testClientCertGet took 0.169 sec

> Caused an ERROR Received fatal alert: protocol_version
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> protocol_version at
> sun.security.ssl.Alert.createSSLException(Alert.java:131) at
> sun.security.ssl.Alert.createSSLException(Alert.java:117) at
> sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
> at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at
> sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
>
>
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
> at
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:
1106)
>
>
at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
>
>
at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
>
>
at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5
59)
>
>
at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
AbstractDelegateHttpsURLConnection.java:185)
>
>  at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn
ectionImpl.java:167)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
va:691)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
va:665)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
659)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
653)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
638)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
632)
>
>
at
> org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestC
lientCertTls13.java:45)

Also
>
interesting.

So it looks like TLSv1.3 without client certs works, but the
client-cert tests are failing?

> - RedHat JDK 1.8.0
>
> 8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat
>
> Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took
> 2.878 sec Caused an ERROR DHPublicKey does not comply to algorithm
> constraints javax.net.ssl.SSLHandshakeException: DHPublicKey does
> not comply to algorithm constraints at
> sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237) at
> sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.j
ava:774)
>
>  at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java
:287)
>
>
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j
ava:1367)
>
>  at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
>
>
at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
>
>
at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5
59)
>
>
at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
AbstractDelegateHttpsURLConnection.java:185)
>
>  at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn
ectionImpl.java:162)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
va:691)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
va:665)
>
>  at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
659)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
653)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
638)
>
>
at
> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
632)
>
>
at
> org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostC
onfigCompat.java:298)
>
>  at
> org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwit
hRSAClient(TestSSLHostConfigCompat.java:131)

>
>
>
> and similar errors in
>
> Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took
> 0.181 sec Testcase:
> testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec
> Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149
> sec Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took
> 0.394 sec Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM]
> took 0.185 sec Testcase:
> testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec
> Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec

I'm assuming that this is a spec-upgrade and we are just using smelly
certs in our tests. Does that sound about right?


> Furthermore the test with OpenSSL 1.1.1g plus patches showed one
> isolated JVM crash under Zulu with JDK 11 in
> org.apache.tomcat.util.net.TestSsl for NIO2:
>
> Executable: /usr/local/zulu_jdk11/bin/java Control Group: / Slice:
> -.slice Boot ID: 5b69924960db44f297aac21f912de346 Machine ID:
> 11e20c69b48145c494c0005eb2e92d17 Hostname: esb-rhel8-64 Storage:
> /var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de
346.8157.1596423433000000.lz4

>
>  Message: Process 8157 (java) of user 1200 dumped core.
>
> Stack trace of thread 8162: #0  0x00007f2a39bfe93f raise
> (libc.so.6) #1  0x00007f2a39be8c95 abort (libc.so.6) #2
> 0x00007f2a39c41d57 __libc_message (libc.so.6) #3
> 0x00007f2a39c4868c malloc_printerr (libc.so.6) #4
> 0x00007f2a39c4a188 _int_free (libc.so.6) #5  0x00007f2a08b0d4f3
> apr_allocator_destroy (libapr-1.so.0) #6  0x00007f2a08b0df60
> apr_pool_terminate (libapr-1.so.0) #7  0x00007f2a1be0f1f0 n/a
> (n/a) #8  0x00007f2a1be00849 n/a (n/a) #9  0x00007f2a38faab42
> _ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgum
entsP6Thread
>
>
(libjvm.so)
> #10 0x00007f2a393b8de0
> _ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9Bas
icTypeS5_bP6Thread
>
>
(libjvm.so)
> #11 0x00007f2a393b9bc3
> _ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Threa
d
>
>
(libjvm.so)
> #12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so) #13
> 0x00007f2a239792b0 n/a (n/a) #14 0x00007f2a1c779a8c n/a (n/a)
>
> I ran the test with 2 threads in parallel. It looks like a
> possible thread safety issue (race condition) during shutdown.
> Seems not to be strictly reproducible.

Does higher concurrency improve the reliability of this failure?

> So far this means OpenSSL 3.0.0 looks good :)

That IS good news.

Thanks,
- -chris


> Am 01.08.2020 um 19:12 schrieb Christopher Schultz:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Rainer,
>>
>> On 8/1/20 11:44, Rainer Jung wrote:
>>> Sorry, wrong dev list.
>>
>> I thought it was interesting anyway :)
>>
>> How about libtcnative built against OpenSSL 3.0.0?
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8oOrAACgkQHPApP6U8
pFh/og/+LLhkI0r3u726xKCIM7Oviy2wiz8UsPmHy0G/0tv8nZKCLJ4rDR27cG70
NCFD5kc7wcSlB2CsEqONpD2h37vWMJo5oIrguDdKyjn1p2fD2+8QWv5nFrfsd2d6
4UXgLvlJm4O95MpkEF1O5gfR24bDhHwg1EYogcUhtpll9oS4XWXpEpvQSOq9hBFz
DXuoqriU2F/tK+2JLsGavnTf0EKwBwg7Afd2QhEw0GPbhgkV4xylR7sWptS25bEU
9QkFhF+1Ba4UKex3WnfP+uLwY12fkFWFhMKiUVDAjsUDq7EGF0WAUQYjCC/VBd89
Vane1qeIzdU9LypMol9NuMAS5S0Mn5k0f/BP3QrfN2Bc+3tA9lBML9qsS84nrc9l
IP2PILGXD7jr4bK7l6VLV7booLpDUK2+nEegtQTCadEr89U3xX1fnGJfyOb5rxXx
nqV9HES5h7wRzl9xtd3u4KtRC3tNhbVnFaJdsG1igmxr6AF7O0zMUjQyu2RTNx/G
813RmcWe8jorEq67tAGOl/imn764fxerWhqUOMxN/TVOcSj1YwkymkDWRs+UOzQR
ooyx/bUVMsW98cPKUBB00VN881axXgorP98rCsm4HkzJxD3NvXRLUvOuk2p9RoQU
ai/VhMGxtlR95V8qK4zdbp+zvvew7ZkQTJJw9bb2br62qMvqBIc=
=JcGj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

Rainer Jung-3
Hi Chris, hi all,

I can't currently analyze the observed few failures that also happen in
1.1.1 due to time constraints.

The patches for 1.1.1 I mentioned are just that I typically use a
slightly newer version than the released one, because OpenSSL often
accumulates quite a few patches before doing a release. Not saying this
is good to do, it's just what is most easily available to me. In the
case here it was 1.1.1g plus everything that was committed to the 1.1.1
branch until 2020-07-11. There's noting specifically needed for tcnative.

I think the concept of ENGINE was mostly replaced by providers in
OpenSSL 3.0.0. I haven't checked the details, but some info is available
here

https://wiki.openssl.org/index.php/OpenSSL_3.0

and here

https://www.openssl.org/docs/OpenSSL300Design.html

I mostly wanted to provide a short notice, that currently it seems we
can support 3.0.0 once it gets a GA release with only very little
effort, hopefully with out code as-is.

Best regards,

Rainer

Am 03.08.2020 um 18:26 schrieb Christopher Schultz:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Rainer,
>
> On 8/3/20 07:03, Rainer Jung wrote:
>> Hi Chris, hi all,
>>
>> I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and
>> compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches.
>> APR was always 1.7.0.
>
> Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which
> patches are you applying?
>
>> - build warnings for tcnative using OpenSSL 3.0.0alpha5:
>>
>> src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated
>> [-Wdeprecated-declarations] src/ssl.c:424:9: warning:
>> 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
>> src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated
>> [-Wdeprecated-declarations] src/ssl.c:426:13: warning:
>> 'ENGINE_free' is deprecated [-Wdeprecated-declarations]
>> src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is
>> deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning:
>> 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations]
>> src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated
>> [-Wdeprecated-declarations] src/ssl.c:817:17: warning:
>> 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations]
>> src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated
>> [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id'
>> is deprecated (declared at /path/to/include/openssl/engine.h:327)
>> src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated
>> (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425:
>> warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at
>> /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning:
>> 'ENGINE_free' is deprecated (declared at
>> /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning:
>> 'ENGINE_register_all_complete' is deprecated (declared at
>> /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning:
>> 'ENGINE_by_id' is deprecated (declared at
>> /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning:
>> 'ENGINE_ctrl' is deprecated (declared at
>> /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning:
>> 'ENGINE_set_default' is deprecated (declared at
>> /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning:
>> 'ENGINE_free' is deprecated (declared at
>> /path/to/include/openssl/engine.h:474)
>
> I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any
> indication of what replacement exists for this function. It seems that
> a huge number of functions have been deprecated in 3.0.x with very
> little explanation for how to update client code to be 3.0-compliant.
>
>> - test results:
>>
>> Only tested NIO and NIO2 connectors (couldn't easily do it for APR
>> for local reasons independent of OpenSSL).
>>
>> The tests have been run on RedHat Enterprise Linux 8 using the
>> following JVMs:
>>
>> - OpenJDK 1.8.0_262-b10 - OpenJDK 11.0.8+10 - OpenJDK 14.0.2+12-46
>> - OpenJDK 15-ea+31-1502 - Adopt OpenJDK 1.8.0_262-b10 - Adopt
>> OpenJDK 11.0.8+10 - Adopt OpenJDK 14.0.2+12 - RedHat OpenJDK
>> 1.8.0_201-b09 - RedHat OpenJDK 11.0.2+7-LTS - Azul Zulu
>> 1.8.0_262-b18 - Azul Zulu 11.0.8+10-LTS - Azul 14.0.2+12
>>
>> Alle tests succeeed with the follwoing exceptions. These do not
>> differ between OpenSSL 1.1.1g plus patches and 3.0.0alpha5:
>>
>> - zulu  JDK 1.8.0
>>
>> 2 errors for NIO and NIO2 in
>> org.apache.tomcat.util.net.TestClientCertTls13:
>>
>> Testcase: testClientCertPost took 2.327 sec Caused an ERROR
>> Received fatal alert: protocol_version
>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> protocol_version at
>> sun.security.ssl.Alert.createSSLException(Alert.java:131) at
>> sun.security.ssl.Alert.createSSLException(Alert.java:117) at
>> sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
>> at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at
>> sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
>>
>>
> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
>> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
>> at
>> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:
> 1106)
>>
>>
> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
>>
>>
> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
>>
>>
> at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5
> 59)
>>
>>
> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
> AbstractDelegateHttpsURLConnection.java:185)
>>
>>   at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn
> ectionImpl.java:167)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java
> :789)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java
> :755)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.postUrl(TomcatBaseTest.java
> :729)
>>
>>
> at
>> org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(Test
> ClientCertTls13.java:61)
>
>
> Interesting.
>
>
>>
>>
> Testcase: testClientCertGet took 0.169 sec
>> Caused an ERROR Received fatal alert: protocol_version
>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>> protocol_version at
>> sun.security.ssl.Alert.createSSLException(Alert.java:131) at
>> sun.security.ssl.Alert.createSSLException(Alert.java:117) at
>> sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
>> at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at
>> sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
>>
>>
> at sun.security.ssl.SSLTransport.decode(SSLTransport.java:156)
>> at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1197)
>> at
>> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:
> 1106)
>>
>>
> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
>>
>>
> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:370)
>>
>>
> at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5
> 59)
>>
>>
> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
> AbstractDelegateHttpsURLConnection.java:185)
>>
>>   at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn
> ectionImpl.java:167)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
> va:691)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
> va:665)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 659)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 653)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 638)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 632)
>>
>>
> at
>> org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestC
> lientCertTls13.java:45)
>
> Also
>>
> interesting.
>
> So it looks like TLSv1.3 without client certs works, but the
> client-cert tests are failing?
>
>> - RedHat JDK 1.8.0
>>
>> 8 errors in org.apache.tomcat.util.net.TestSSLHostConfigCompat
>>
>> Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-KEYSTORE] took
>> 2.878 sec Caused an ERROR DHPublicKey does not comply to algorithm
>> constraints javax.net.ssl.SSLHandshakeException: DHPublicKey does
>> not comply to algorithm constraints at
>> sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237) at
>> sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.j
> ava:774)
>>
>>   at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java
> :287)
>>
>>
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
>> at
>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j
> ava:1367)
>>
>>   at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
>>
>>
> at
>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
>>
>>
> at
>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:5
> 59)
>>
>>
> at
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
> AbstractDelegateHttpsURLConnection.java:185)
>>
>>   at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConn
> ectionImpl.java:162)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
> va:691)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.ja
> va:665)
>>
>>   at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 659)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 653)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 638)
>>
>>
> at
>> org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:
> 632)
>>
>>
> at
>> org.apache.tomcat.util.net.TestSSLHostConfigCompat.doTest(TestSSLHostC
> onfigCompat.java:298)
>>
>>   at
>> org.apache.tomcat.util.net.TestSSLHostConfigCompat.testHostECandRSAwit
> hRSAClient(TestSSLHostConfigCompat.java:131)
>>
>>
>>
>> and similar errors in
>>
>> Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-KEYSTORE] took
>> 0.181 sec Testcase:
>> testHostRSAwithRSAandECClient[NIO-JSSE-KEYSTORE] took 0.151 sec
>> Testcase: testHostRSAwithRSAClient[NIO-JSSE-KEYSTORE] took 0.149
>> sec Testcase: testHostECandRSAwithRSAClient[NIO-JSSE-PEM] took
>> 0.394 sec Testcase: testHostRSAandECwithRSAClient[NIO-JSSE-PEM]
>> took 0.185 sec Testcase:
>> testHostRSAwithRSAandECClient[NIO-JSSE-PEM] took 0.255 sec
>> Testcase: testHostRSAwithRSAClient[NIO-JSSE-PEM] took 0.199 sec
>
> I'm assuming that this is a spec-upgrade and we are just using smelly
> certs in our tests. Does that sound about right?
>
>
>> Furthermore the test with OpenSSL 1.1.1g plus patches showed one
>> isolated JVM crash under Zulu with JDK 11 in
>> org.apache.tomcat.util.net.TestSsl for NIO2:
>>
>> Executable: /usr/local/zulu_jdk11/bin/java Control Group: / Slice:
>> -.slice Boot ID: 5b69924960db44f297aac21f912de346 Machine ID:
>> 11e20c69b48145c494c0005eb2e92d17 Hostname: esb-rhel8-64 Storage:
>> /var/lib/systemd/coredump/core.java.1200.5b69924960db44f297aac21f912de
> 346.8157.1596423433000000.lz4
>>
>>   Message: Process 8157 (java) of user 1200 dumped core.
>>
>> Stack trace of thread 8162: #0  0x00007f2a39bfe93f raise
>> (libc.so.6) #1  0x00007f2a39be8c95 abort (libc.so.6) #2
>> 0x00007f2a39c41d57 __libc_message (libc.so.6) #3
>> 0x00007f2a39c4868c malloc_printerr (libc.so.6) #4
>> 0x00007f2a39c4a188 _int_free (libc.so.6) #5  0x00007f2a08b0d4f3
>> apr_allocator_destroy (libapr-1.so.0) #6  0x00007f2a08b0df60
>> apr_pool_terminate (libapr-1.so.0) #7  0x00007f2a1be0f1f0 n/a
>> (n/a) #8  0x00007f2a1be00849 n/a (n/a) #9  0x00007f2a38faab42
>> _ZN9JavaCalls11call_helperEP9JavaValueRK12methodHandleP17JavaCallArgum
> entsP6Thread
>>
>>
> (libjvm.so)
>> #10 0x00007f2a393b8de0
>> _ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9Bas
> icTypeS5_bP6Thread
>>
>>
> (libjvm.so)
>> #11 0x00007f2a393b9bc3
>> _ZN10Reflection13invoke_methodEP7oopDesc6Handle14objArrayHandleP6Threa
> d
>>
>>
> (libjvm.so)
>> #12 0x00007f2a39058542 JVM_InvokeMethod (libjvm.so) #13
>> 0x00007f2a239792b0 n/a (n/a) #14 0x00007f2a1c779a8c n/a (n/a)
>>
>> I ran the test with 2 threads in parallel. It looks like a
>> possible thread safety issue (race condition) during shutdown.
>> Seems not to be strictly reproducible.
>
> Does higher concurrency improve the reliability of this failure?
>
>> So far this means OpenSSL 3.0.0 looks good :)
>
> That IS good news.
>
> Thanks,
> - -chris
>
>
>> Am 01.08.2020 um 19:12 schrieb Christopher Schultz:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>
>>> Rainer,
>>>
>>> On 8/1/20 11:44, Rainer Jung wrote:
>>>> Sorry, wrong dev list.
>>>
>>> I thought it was interesting anyway :)
>>>
>>> How about libtcnative built against OpenSSL 3.0.0?
>>
>> ---------------------------------------------------------------------
>>
>>
> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8oOrAACgkQHPApP6U8
> pFh/og/+LLhkI0r3u726xKCIM7Oviy2wiz8UsPmHy0G/0tv8nZKCLJ4rDR27cG70
> NCFD5kc7wcSlB2CsEqONpD2h37vWMJo5oIrguDdKyjn1p2fD2+8QWv5nFrfsd2d6
> 4UXgLvlJm4O95MpkEF1O5gfR24bDhHwg1EYogcUhtpll9oS4XWXpEpvQSOq9hBFz
> DXuoqriU2F/tK+2JLsGavnTf0EKwBwg7Afd2QhEw0GPbhgkV4xylR7sWptS25bEU
> 9QkFhF+1Ba4UKex3WnfP+uLwY12fkFWFhMKiUVDAjsUDq7EGF0WAUQYjCC/VBd89
> Vane1qeIzdU9LypMol9NuMAS5S0Mn5k0f/BP3QrfN2Bc+3tA9lBML9qsS84nrc9l
> IP2PILGXD7jr4bK7l6VLV7booLpDUK2+nEegtQTCadEr89U3xX1fnGJfyOb5rxXx
> nqV9HES5h7wRzl9xtd3u4KtRC3tNhbVnFaJdsG1igmxr6AF7O0zMUjQyu2RTNx/G
> 813RmcWe8jorEq67tAGOl/imn764fxerWhqUOMxN/TVOcSj1YwkymkDWRs+UOzQR
> ooyx/bUVMsW98cPKUBB00VN881axXgorP98rCsm4HkzJxD3NvXRLUvOuk2p9RoQU
> ai/VhMGxtlR95V8qK4zdbp+zvvew7ZkQTJJw9bb2br62qMvqBIc=
> =JcGj
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

Felix Schumacher
In reply to this post by Christopher Schultz-2
Chris,

Am 03.08.20 um 18:26 schrieb Christopher Schultz:

> Rainer,
>
> On 8/3/20 07:03, Rainer Jung wrote:
> > Hi Chris, hi all,
>
> > I ran build and tests for TC 10.0.0-M7 plus tcnative 1.2.24 and
> > compared them between OpenSSL 3.0.0alpha5 and 1.1.1g plus patches.
> > APR was always 1.7.0.
>
> Thanks for trying this out. What is "OpenSSL 1.1.1 + patches?" Which
> patches are you applying?
>
> > - build warnings for tcnative using OpenSSL 3.0.0alpha5:
>
> > src/ssl.c:422:5: warning: 'ENGINE_by_id' is deprecated
> > [-Wdeprecated-declarations] src/ssl.c:424:9: warning:
> > 'ENGINE_ctrl_cmd_string' is deprecated [-Wdeprecated-declarations]
> > src/ssl.c:425:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated
> > [-Wdeprecated-declarations] src/ssl.c:426:13: warning:
> > 'ENGINE_free' is deprecated [-Wdeprecated-declarations]
> > src/ssl.c:806:13: warning: 'ENGINE_register_all_complete' is
> > deprecated [-Wdeprecated-declarations] src/ssl.c:809:13: warning:
> > 'ENGINE_by_id' is deprecated [-Wdeprecated-declarations]
> > src/ssl.c:815:21: warning: 'ENGINE_ctrl' is deprecated
> > [-Wdeprecated-declarations] src/ssl.c:817:17: warning:
> > 'ENGINE_set_default' is deprecated [-Wdeprecated-declarations]
> > src/ssl.c:822:17: warning: 'ENGINE_free' is deprecated
> > [-Wdeprecated-declarations] src/ssl.c:422: warning: 'ENGINE_by_id'
> > is deprecated (declared at /path/to/include/openssl/engine.h:327)
> > src/ssl.c:424: warning: 'ENGINE_ctrl_cmd_string' is deprecated
> > (declared at /path/to/include/openssl/engine.h:462) src/ssl.c:425:
> > warning: 'ENGINE_ctrl_cmd_string' is deprecated (declared at
> > /path/to/include/openssl/engine.h:462) src/ssl.c:426: warning:
> > 'ENGINE_free' is deprecated (declared at
> > /path/to/include/openssl/engine.h:474) src/ssl.c:806: warning:
> > 'ENGINE_register_all_complete' is deprecated (declared at
> > /path/to/include/openssl/engine.h:407) src/ssl.c:809: warning:
> > 'ENGINE_by_id' is deprecated (declared at
> > /path/to/include/openssl/engine.h:327) src/ssl.c:815: warning:
> > 'ENGINE_ctrl' is deprecated (declared at
> > /path/to/include/openssl/engine.h:419) src/ssl.c:817: warning:
> > 'ENGINE_set_default' is deprecated (declared at
> > /path/to/include/openssl/engine.h:652) src/ssl.c:822: warning:
> > 'ENGINE_free' is deprecated (declared at
> > /path/to/include/openssl/engine.h:474)
>
> I spot-checked ENGINE_ctrl_cmd_string and I can't seem to find any
> indication of what replacement exists for this function. It seems that
> a huge number of functions have been deprecated in 3.0.x with very
> little explanation for how to update client code to be 3.0-compliant.
Have you seen the design document for 3.0

https://www.openssl.org/docs/OpenSSL300Design.html#the-engine-api

Looks like they want to explain later how to upgrade old code

Felix



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]