-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java version of ome/omero-py#336 and ome/omero-py#377 #139
Conversation
Like ome/omero-py#336, removes support for ADH, and adds support for TLS 1.3 like ome/omero-py#377. |
Since we have less experience with wider TLS settings on the JDK this will require a little more testing than ome/omero-py#377. If you negotiate a TLS 1.3 connection with omero-py, the behaviour on the JDK without this PR is pretty ugly. For example, using the importer:
|
Tested using a very similar set-up as ome/omero-py#377 (review) using a derivative of https://github.com/ome/minimal-omero-client, built with this PR included and a simplified version of the connector calling
The two Rocky / CentOS failures showed the following stack trace
so I suspect a similar patch as the one discussed in https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574 should be applied. Proposed next steps on this effort:
|
I was able to reproduce #139 (comment) on Ubuntu 22.04 after setting up TLS 1.3 exclusively:
I will run another round of testing cross-platforms with an import workflow i.e. testing both Python and Java clients to assess things are working as expected. From a tester perspective, I am starting to be worried about the dangers and limitations of integrating multiple development efforts (omero-py, omero-blitz, ice binaries on Rocky9). |
Ticket created #143 for cleanup |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rested the cross-distribution compatibility on the same set of platforms as described in #139 (comment) with the following IceSSL
server settings
- CentOS 7
omero certificates omero config set omero.glacier2.IceSSL.Protocols "TLS1_2" omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2 omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_2 omero config set omero.glacier2.IceSSL.Ciphers HIGH:!DH
- Rocky Linux 8
omero certificates omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3" omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2 omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3
- Rocky Linux 9
omero certificates omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3" omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2 omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3
- Ubuntu 20.04
omero certificates omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3" omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2 omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3
- Ubuntu 22.04
omero certificates omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3" omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2 omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3
These should ensure that the highest available protocol between TLS 1.2 and TLS 1.3 is selected during the client/server connection.
With this set-up, the following workflows were tested:
- minimal Python client connection as described in Let Ice choose the default SSL protocols that are available omero-py#377 (review) with
--IceSSL.Trace.Security=1
to display the selected protocols - minimal Java client connection as described
- command-line OMERO import i.e. involving both Python and Java session creation
All tests completed successfully with the set-up above.
As discussed this morning with @chris-allan and @jburel, I cannot think of any additional testing to perform at this stage. Next proposed steps are:
- merge and release this component so that we can work towards the deploying of testing servers consuming a released artifact
- open an omero-certificates PR capturin the TLS configuration changes above (possibly with a variation for the CentOS 7 workaround)
- set-up testing servers using the new omero-blitz/omero-certificates/omero-py on a selected set of server environments minimally CentOS 7, Ubuntu 22.04, Rocky Linux 9
- retest the connection from various clients and client environment, including OMERO.insight as well as Windows/Linux
- work towards a September public release of OMERO.server and OMERO clients like OMERO.insight
This pull request has been mentioned on Image.sc Forum. There might be relevant details there: https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574/17 |
.