Java version of ome/omero-py#336 and ome/omero-py#377

[chris-allan]

.

[chris-allan]

Like ome/omero-py#336, removes support for ADH, and adds support for TLS 1.3 like ome/omero-py#377.

[chris-allan]

Since we have less experience with wider TLS settings on the JDK this will require a little more testing than ome/omero-py#377. If you negotiate a TLS 1.3 connection with omero-py, the behaviour on the JDK without this PR is pretty ugly. For example, using the importer:

...
2023-07-10 10:37:30,306 585        [      main] ERROR  formats.importer.cli.CommandLineImporter - Error during import process.
Ice.ConnectionLostException: null
        at IceInternal.AsyncResultI.__wait(AsyncResultI.java:276)
        at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
        at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
        at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
        at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
        at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
        at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:1787)
        at omero.client.getRouter(client.java:889)
        at omero.client.createSession(client.java:810)
        at omero.client.joinSession(client.java:745)
        at ome.formats.OMEROMetadataStoreClient.initialize(OMEROMetadataStoreClient.java:764)
        at ome.formats.importer.ImportConfig.createStore(ImportConfig.java:381)
        at ome.formats.importer.cli.CommandLineImporter.<init>(CommandLineImporter.java:162)
        at ome.formats.importer.cli.CommandLineImporter.main(CommandLineImporter.java:997)

[chris-allan]

Once we're happy with what's here we should be able to revert all or just the a9a5a85 part of #23.

[sbesson]

Tested using a very similar set-up as ome/omero-py#377 (review) using a derivative of https://github.com/ome/minimal-omero-client, built with this PR included and a simplified version of the connector calling omero.client(args) directly and passing --IceSSL.Trace.Security=1 to log the negotiated protocol

Client / Server	CentOS 7	Rocky 8	Rocky 9	Ubuntu 20.04	Ubuntu 22.04
CentOS 7	TLS 1.2	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3
Rocky 8	fail	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3
Rocky 9	fail	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3
Ubuntu 20.04	TLS 1.2	TLS 1.2	TLS 1.3	TLS 1.3	TLS 1.3
Ubuntu 22.04	TLS 1.2	TLS 1.3	TLS 1.3	TLS 1.3	TLS 1.3

The two Rocky / CentOS failures showed the following stack trace

Exception in thread "main" Ice.SecurityException
    reason = "IceSSL: error during read"
	at IceInternal.AsyncResultI.__wait(AsyncResultI.java:276)
	at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
	at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
	at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
	at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
	at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
	at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:1787)
	at omero.client.getRouter(client.java:885)
	at omero.client.createSession(client.java:806)
	at omero.client.createSession(client.java:750)
	at com.glencoesoftware.SimpleConnection.main(SimpleConnection.java:36)
Caused by: javax.net.ssl.SSLHandshakeException: DH ServerKeyExchange does not comply to algorithm constraints
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:347)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:294)
	at java.base/sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeConsumer.consume(DHServerKeyExchange.java:538)
	at java.base/sun.security.ssl.ServerKeyExchange$ServerKeyExchangeConsumer.consume(ServerKeyExchange.java:122)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1076)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1063)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1010)
	at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:363)
	at IceSSL.TransceiverI.initialize(TransceiverI.java:33)
	at Ice.ConnectionI.initialize(ConnectionI.java:1921)
	at Ice.ConnectionI.message(ConnectionI.java:940)
	at IceInternal.ThreadPool.run(ThreadPool.java:395)
	at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:832)
	at java.base/java.lang.Thread.run(Thread.java:829)

so I suspect a similar patch as the one discussed in https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574 should be applied.

Proposed next steps on this effort:

• apply the CentOS 7 specific patch (either regenerating the DH key or setting the Ciphers)
• test the Java + Python client negotation e.g. an import
• possibly add additional clients (OS X, Windows) into the testing matrix

[sbesson]

I was able to reproduce #139 (comment) on Ubuntu 22.04 after setting up TLS 1.3 exclusively:

omero config set omero.glacier2.IceSSL.Protocols "TLS1_3"
omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3

• without Let Ice choose the default SSL protocols that are available omero-py#377, the import fails with

  omero@462ac410e0f7:~$ OMERODIR=/opt/omero/OMERO.current OMERO.venv/bin/omero import test.fake
  Previously logged in to localhost:4064 as root
  Server: [localhost:4064]
  Username: [root]
  Password:
  WARNING:omero.client:..Ignoring error in client.__del__:<class 'Ice.SocketException'>
  InternalException: Failed to connect: Ice.SocketException:
  Cannot assign requested address
  

• with Let Ice choose the default SSL protocols that are available omero-py#377 only, the Python client creates a successful creation but the Java importer is unable to join the session with the cryptic exception displayed in Java version of ome/omero-py#336 and ome/omero-py#377 #139 (comment) (note this is already the case when certificates are not set-up client-side - see https://forum.image.sc/t/omero-import-error-ice-securityexception-javax-net-ssl-sslhandshakeexception-no-appropriate-protocol-again/52154/7)
• with both Let Ice choose the default SSL protocols that are available omero-py#377 and a JAR built from the HEAD of this PR copied under lib/client, I am able to complete a minimal import workflow

I will run another round of testing cross-platforms with an import workflow i.e. testing both Python and Java clients to assess things are working as expected. From a tester perspective, I am starting to be worried about the dangers and limitations of integrating multiple development efforts (omero-py, omero-blitz, ice binaries on Rocky9).
Especially as several of us will be in an out over the next few week, it would be useful to define the expectations for getting these PRs merged and possibly available as release artifacts or minimally release candidates. @jburel @chris-allan

[jburel]

Ticket created #143 for cleanup

[sbesson]

Rested the cross-distribution compatibility on the same set of platforms as described in #139 (comment) with the following IceSSL server settings

• CentOS 7

  omero certificates
  omero config set omero.glacier2.IceSSL.Protocols "TLS1_2"
  omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2
  omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_2
  omero config set omero.glacier2.IceSSL.Ciphers HIGH:!DH

• Rocky Linux 8

  omero certificates
  omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3"
  omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2
  omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3

• Rocky Linux 9

  omero certificates
  omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3"
  omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2
  omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3

• Ubuntu 20.04

  omero certificates
  omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3"
  omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2
  omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3

• Ubuntu 22.04

  omero certificates
  omero config set omero.glacier2.IceSSL.Protocols "TLS1_2,TLS1_3"
  omero config set omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2
  omero config set omero.glacier2.IceSSL.ProtocolVersionMax TLS1_3

These should ensure that the highest available protocol between TLS 1.2 and TLS 1.3 is selected during the client/server connection.

With this set-up, the following workflows were tested:

• minimal Python client connection as described in Let Ice choose the default SSL protocols that are available omero-py#377 (review) with --IceSSL.Trace.Security=1 to display the selected protocols
• minimal Java client connection as described
• command-line OMERO import i.e. involving both Python and Java session creation

All tests completed successfully with the set-up above.

As discussed this morning with @chris-allan and @jburel, I cannot think of any additional testing to perform at this stage. Next proposed steps are:

• merge and release this component so that we can work towards the deploying of testing servers consuming a released artifact
• open an omero-certificates PR capturin the TLS configuration changes above (possibly with a variation for the CentOS 7 workaround)
• set-up testing servers using the new omero-blitz/omero-certificates/omero-py on a selected set of server environments minimally CentOS 7, Ubuntu 22.04, Rocky Linux 9
• retest the connection from various clients and client environment, including OMERO.insight as well as Windows/Linux
• work towards a September public release of OMERO.server and OMERO clients like OMERO.insight

[imagesc-bot]

This pull request has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/omero-login-ssl-error-dh-key/79574/17