ZOOKEEPER-3404. Downgrade BouncyCastle to 1.60 #961
Conversation
|
As we are using BC only for tests it is okay to downgrade in order to make tests more stable. btw if we have these problems now someday we will see them again when we will need to upgrade. BC comes with its own Security Providers, I am afraid that it not polluting the classpath during tests executions. The JVM (Javax Crypto) selects Security Providers by using what is on the classpath. We should add debug in every security-related utility and dump which Security Provider is in use. We should also add Netty (Google) Boring SSL library in order to be sure about the SSL implementation we are using. Unfortunately we are not using Netty yet on server to server communication, as so I guess we are more fragile in this Security Provider selection. cc @enixon |
@eolivelli This is valid. BC is for testing only currently and we'll face this problem again once we need to upgrade to address a CVE for example. However that could be a more recent version of BC where they identify and fix the performance regression. Other option could be to improve Wrt to Security Providers I think you're right, though I'm not an expert of Java Security, so not sure how to address the problem properly. I suggest to keep this patch for the performance problem only for now. Please see my comments / evidence in Jira too. |
I've seen a lot of test timeout errors with QuorumSSL tests since I upgraded master to BouncyCastle 1.61 due to a Java 9 warning. The warning has been reported by Enrico Olivelli which we tried to solve by the upgrade, but the warning message is still present so I don't see any harm in downgrading to the previous version. https://issues.apache.org/jira/browse/ZOOKEEPER-3404 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org> Closes #961 from anmolnar/ZOOKEEPER-3404 (cherry picked from commit 78b3d1a) Signed-off-by: Norbert Kalmar <nkalmar@apache.org>
|
Thanks @anmolnar , merged to master and 3.5 |
|
@eolivelli @anmolnar - one of you want to open a ticket for the improvements mentioned above? Getting the dependencies clarified and reducing the running time of the SSL tests are good improvements. |
I've seen a lot of test timeout errors with QuorumSSL tests since I upgraded master to BouncyCastle 1.61 due to a Java 9 warning. The warning has been reported by Enrico Olivelli which we tried to solve by the upgrade, but the warning message is still present so I don't see any harm in downgrading to the previous version. https://issues.apache.org/jira/browse/ZOOKEEPER-3404 Author: Andor Molnar <andor@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org> Closes apache#961 from anmolnar/ZOOKEEPER-3404
I've seen a lot of test timeout errors with QuorumSSL tests since I upgraded master to BouncyCastle 1.61 due to a Java 9 warning. The warning has been reported by Enrico Olivelli which we tried to solve by the upgrade, but the warning message is still present so I don't see any harm in downgrading to the previous version.
https://issues.apache.org/jira/browse/ZOOKEEPER-3404