Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies for ssl-tests testsuite #3059

Closed
zzambers opened this issue May 15, 2023 · 13 comments · Fixed by #3169
Closed

Dependencies for ssl-tests testsuite #3059

zzambers opened this issue May 15, 2023 · 13 comments · Fixed by #3169
Assignees
@steelhead31
Labels
ansible
Milestone
2023-10 (October)

Comments

@zzambers
Copy link

zzambers commented May 15, 2023
edited

Integration of new ssl-tests testsuite into aqa is in progress [1]. However some additional dependencies will be needed.

For linux these are (ubuntu package names):

  • make openssl
  • curl
  • gnutls-bin (needed by ssl-tests-gnutls-client.sh)
  • libnss3 libnss3-tools libnss3-dev gcc pkg-config (needed by ssl-tests-nss-client.sh)

For other systems (Windows and Mac, possibly others?):

  • make openssl
  • curl
  • integration testing with other clients currently not enable on non-linux

For more details, see [1].

[1] adoptium/aqa-tests#4403
@zzambers
Copy link
Author

Any progress?

@karianna
Copy link
Contributor

CC @sxa for triage prioritisation, might be needed for July PSU?

@steelhead31 steelhead31 self-assigned this Aug 8, 2023
@sxa sxa added this to the 2023-08 (August) milestone Aug 15, 2023
@steelhead31
Copy link
Contributor

Beginning work on this, I believe.. make, open-ssl, curl, gcc & pkg-config are already present, currently working on adding gnutls-bin and the lib-nss packages for our supported dists, will verify the ones I expect to be present are.

@steelhead31
Copy link
Contributor

Playbooks updated and tested on Alpine 3.17, Centos 7, Debian 8.

All fine except for missing tstclnt utility to run the ssl-tests-nss-client.sh test suite on Alpine, this suite will need excluding on Alpine.

Continuing to work through other dists & platforms.

@sxa
Copy link
Member

sxa commented Aug 22, 2023

@steelhead31 Can you add an example of running a test to validate the new prereqs into https://github.com/adoptium/infrastructure/blob/master/FAQ.md#how-do-i-replicate-a-test-failure and perhaps also add one into the VPC tests too so that we can verify that they don't break in the future before merging anything?

@steelhead31
Copy link
Contributor

@steelhead31 Can you add an example of running a test to validate the new prereqs into https://github.com/adoptium/infrastructure/blob/master/FAQ.md#how-do-i-replicate-a-test-failure and perhaps also add one into the VPC tests too so that we can verify that they don't break in the future before merging anything?

Yup, no problem at all.

@steelhead31
Copy link
Contributor

Omitting FreeBSD as this is not a supported platform.

@zzambers zzambers mentioned this issue Aug 22, 2023
Merged
@steelhead31 steelhead31 mentioned this issue Aug 29, 2023
Merged
3 tasks
@steelhead31
Copy link
Contributor

I'm just making a few final checks and adjustments on my PR to install these pre-req packages for the SSL tests, there area  couple of issues with the tests when running on CentOS6..

./ssl-tests-openssl-client.sh tests run OK , but there are a couple of issues in the other two test suites  

```
ssl-tests-gnutls-client.sh

IGNORED: SunJSSE/DTLSv1.2: DTLSv1.0 + TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Exception in thread "main" java.lang.RuntimeException: java.lang.IllegalArgumentException: Unknown protocol: CTYPE-OPENPGP
at SSLSocketTester.testConfigurations(SSLSocketTester.java:283)
at SSLSocketTester.testProvider(SSLSocketTester.java:234)
at SSLSocketTester.testProviders(SSLSocketTester.java:190)
at Main.main(Main.java:30)
Caused by: java.lang.IllegalArgumentException: Unknown protocol: CTYPE-OPENPGP
at GnutlsClient.getJavaProtoName(GnutlsClient.java:88)
at GnutlsClient.getSupportedCiphers(GnutlsClient.java:125)
at SSLSocketTester.testConfigurations(SSLSocketTester.java:268)
... 3 more
../ssl-tests/ssl-tests.mk:48: recipe for target 'ssl-tests-run' failed

```

And

```
ssl-tests-nss-client.sh

../ssl-tests/ssl-tests.mk:48: recipe for target 'ssl-tests-run' failed
make: *** [ssl-tests-run] Error 1

FAILED: SunJSSE/TLSv1.3: TLSv1.3 + TLS_AES_256_GCM_SHA384
Sep 27, 2023 9:53:58 AM SSLSocketServer$1 run
SEVERE: null
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.2 is not enabled or supported in server context
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:871)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:823)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:801)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:925)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1016)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:976)
at SSLSocketServer.serverLoop(SSLSocketServer.java:133)
at SSLSocketServer$1.run(SSLSocketServer.java:75)
at java.base/java.lang.Thread.run(Thread.java:833)

stderr: tstclnt: read from socket failed: SSL_ERROR_PROTOCOL_VERSION_ALERT: Peer reports incompatible or unsupported protocol version.
Sep 27, 2023 9:53:58 AM SSLSocketTester testConfiguration
SEVERE: null
java.lang.RuntimeException: Program exit value not zero: 1
at ExternalClient.test(ExternalClient.java:267)
at SSLSocketTester.testConfiguration(SSLSocketTester.java:392)
at SSLSocketTester.testConfigurations(SSLSocketTester.java:322)
at SSLSocketTester.testProvider(SSLSocketTester.java:234)
at SSLSocketTester.testProviders(SSLSocketTester.java:190)
at Main.main(Main.java:30)

FAILED: SunJSSE/TLSv1.3: TLSv1.3 + TLS_AES_128_GCM_SHA256
Sep 27, 2023 9:53:58 AM SSLSocketServer$1 run
SEVERE: null
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.2 is not enabled or supported in server context
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:871)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:823)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:801)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:925)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1016)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:976)
at SSLSocketServer.serverLoop(SSLSocketServer.java:133)
at SSLSocketServer$1.run(SSLSocketServer.java:75)
at java.base/java.lang.Thread.run(Thread.java:833)

stderr: tstclnt: read from socket failed: SSL_ERROR_PROTOCOL_VERSION_ALERT: Peer reports incompatible or unsupported protocol version.
Sep 27, 2023 9:53:58 AM SSLSocketTester testConfiguration
SEVERE: null
java.lang.RuntimeException: Program exit value not zero: 1
at ExternalClient.test(ExternalClient.java:267)
at SSLSocketTester.testConfiguration(SSLSocketTester.java:392)
at SSLSocketTester.testConfigurations(SSLSocketTester.java:322)
at SSLSocketTester.testProvider(SSLSocketTester.java:234)
at SSLSocketTester.testProviders(SSLSocketTester.java:190)
at Main.main(Main.java:30)

```

@zzambers
Copy link
Author

Thanks for the info. I'll try to run ssl-tests on rhel-6 (we no longer do regular testing on rhel6/centos6).

@sxa
Copy link
Member

sxa commented Oct 2, 2023
edited

@steelhead31 Have you seen (or can you determine if we're seeing) the issues with the absence of rngd when running the tests on the Temurin builds instead of OpenJ9: eclipse-openj9/openj9#16720

@steelhead31
Copy link
Contributor

@steelhead31 Have you seen (or can you determine if we're seeing) the issues with the absence of rngd when running the tests on the Temurin builds instead of OpenJ9: eclipse-openj9/openj9#16720

I havent seen any examples of this, all of the test suites, with the exceptions of those platforms/tests mentioned have all worked correctly... I'll see if I can determine which platforms etc encounter the issue, and see if I can recreate on some of our test machines.

@zzambers
Copy link
Author

@steelhead31 Thank you for doing this work. I'll proceed with addition ssl-tests.

However, seems, it still needs to get deployed somehow.
I tried to run some grinder test jobs and I still have problem with dependencies:

https://ci.adoptium.net/view/Test_grinder/job/Grinder/7851/console
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Cannot run program "gnutls-cli": error=2, No such file or directory

https://ci.adoptium.net/view/Test_grinder/job/Grinder/7856/console
make: openssl: No such file or directory

@zzambers zzambers mentioned this issue Oct 25, 2023
Merged
@zzambers
Copy link
Author

When it comes to problems on Centos6
(We ourselfs no longer test on RHEL6/Centos6.):

ssl-tests-gnutls-client.sh
I reproduced it, done some fixes for old gnutls-cli in ssl-tests. However eventually there are some problems, which probably do not allow to use old gnutls-cli on Centos6. So probably candidate for exclude on Centos6.

ssl-tests-nss-client.sh
This one works for me. I was not able to reproduce the issue on Centos6. (Tested using java-1.8.0-openjdk package)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steelhead31 steelhead31

Labels
ansible
Projects
No open projects
Adoptium 4Q 2023 Plan
Status: Done
Milestone
2023-10 (October)
Development

Successfully merging a pull request may close this issue.

UnixPB: Include Pre-Req Packages For SSL Test steelhead31/infrastructure
4 participants
@karianna @sxa @zzambers @steelhead31