-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Igal,
On 10/2/18 01:58, Igal Sapir wrote: > When trying to run the unit test cases with `ant clean test` on the > current trunk [1] I am getting two (per connector) failures: > > org.apache.tomcat.util.net.openssl.ciphers.TestCipher FAILED [2] > > org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurat ionParser > > FAILED [3] > > Server version: Apache Tomcat/9.0.13-dev Server built: Oct 2 2018 > 05:24:55 UTC Server number: 9.0.13.0 OS Name: Linux OS > Version: 4.18.9-200.fc28.x86_64 Architecture: amd64 JVM > Version: 1.8.0_181-b13 JVM Vendor: Oracle Corporation > > Am I missing something? Other than the obvious "missing ciphers", > that is. AIUI, you need to have the perfect match of JRE/JSSE and OpenSSL versions in order to have this test work, because it tests all cipher suites that have been configured in the test-case(s). Some of those are the super-new ones that might not be supported by your local version of OpenSSL. Some of them may be cipher-suites that have been compiled-out of OpenSSL in recent builds. You may want to take a look at the list of cipher suites that are failing and then ask openssl if they are supported (e.g. "openssl ciphers 'ALL'". The same is true for the "IBM cipher suites" which all have different names for some reason. OpenSSL and JSSE already disagree about the names of cipher suites, and IBM had to go their own way, too. If you don't have an IBM JRE then you won't be able to test those suites. Let's take an example from OpenSSL where your tests are failing: > Testcase: testOpenSSLCipherAvailability took 0.06 sec FAILED > ECDHE-ARIA128-GCM-SHA256+TLSv1.2 > DHE-RSA-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA128-GCM-SHA256+TLSv1.2 ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ARIA256-GCM-SHA384+TLSv1.2 DHE-RSA-ARIA256-GCM-SHA384+TLSv1.2 > RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2 > ECDHE-ECDSA-ARIA256-GCM-SHA384+TLSv1.2 ARIA128-GCM-SHA256+TLSv1.2 > DHE-PSK-ARIA128-GCM-SHA256+TLSv1.2 > RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2 > DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2 PSK-ARIA256-GCM-SHA384+TLSv1.2 > DHE-PSK-ARIA256-GCM-SHA384+TLSv1.2 PSK-ARIA128-GCM-SHA256+TLSv1.2 > expected:<0> but was:<16> Without looking at the code, I suspect that the test was intended to select certain ciphers with some attribute. The test case expects zero cipher suites to be available, but your environment provides 16 matching cipher suites. If I run my local LibreSSL 2.2.7 "openssl ciphers -v 'ALL' | grep ARIA" I get no output, but when I use OpenSSL 1.1.1, I get this output: > ECDHE-ECDSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=ARIAGCM(256) Mac=AEAD ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH > Au=RSA Enc=ARIAGCM(256) Mac=AEAD DHE-DSS-ARIA256-GCM-SHA384 > TLSv1.2 Kx=DH Au=DSS Enc=ARIAGCM(256) Mac=AEAD > DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA > Enc=ARIAGCM(256) Mac=AEAD ECDHE-ECDSA-ARIA128-GCM-SHA256 TLSv1.2 > Kx=ECDH Au=ECDSA Enc=ARIAGCM(128) Mac=AEAD > ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA > Enc=ARIAGCM(128) Mac=AEAD DHE-DSS-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH > Au=DSS Enc=ARIAGCM(128) Mac=AEAD DHE-RSA-ARIA128-GCM-SHA256 > TLSv1.2 Kx=DH Au=RSA Enc=ARIAGCM(128) Mac=AEAD > RSA-PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA > Enc=ARIAGCM(256) Mac=AEAD DHE-PSK-ARIA256-GCM-SHA384 TLSv1.2 > Kx=DHEPSK Au=PSK Enc=ARIAGCM(256) Mac=AEAD ARIA256-GCM-SHA384 > TLSv1.2 Kx=RSA Au=RSA Enc=ARIAGCM(256) Mac=AEAD > PSK-ARIA256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK > Enc=ARIAGCM(256) Mac=AEAD RSA-PSK-ARIA128-GCM-SHA256 TLSv1.2 > Kx=RSAPSK Au=RSA Enc=ARIAGCM(128) Mac=AEAD > DHE-PSK-ARIA128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK > Enc=ARIAGCM(128) Mac=AEAD ARIA128-GCM-SHA256 TLSv1.2 Kx=RSA > Au=RSA Enc=ARIAGCM(128) Mac=AEAD PSK-ARIA128-GCM-SHA256 TLSv1.2 > Kx=PSK Au=PSK Enc=ARIAGCM(128) Mac=AEAD There are 16 items in that list. Perhaps you are using the latest OpenSSL but the test isn't prepared for them. I think it's "okay" that this test is failing for you, but it's probably worth looking into why it's happening and trying to alter the test to cope with that situation. Remember that OpenSSL 1.1.1 is very fresh so the unit tests might not have caught-up with what's in there, yet. But this is weird: > Testcase: testARIA128 took 0.535 sec FAILED Expected 8 ciphers but > got 0 for the specification 'ARIA128' expected: Above, you have ARIA ciphers available, but in this test, it does not find them. I guess it's time to dive into the cipher-suite-matching code in those tests to see what's going on, Igal :) - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzg6wACgkQHPApP6U8 pFiOVw//a9v3v6ese0rLy6MzRrmBdte9a0YXSBBwbc+N/TVfxdJCncTVtO/CFodd shQkJu+6q69QwHmgrb1RIlG4jGdcT54RyZX7jRbwSZQorKVsLYiXGxXjI+gIDL78 b2orAgqlxjXcwh5q6FCm9VcgmAGs0kZmDeiYrK5J8NogwZh2U7DgY8z91kDHSm9v ToMUnZ323bcxPSUGjGoy4uZlpxLmBNCdHhSpaEvdsSVvC8T9yuh4ozf25qCSm2tI eJ1LgbPAsqmx3R1NpYvKZtlj2Hbz63Vhphwwgx0C4c4ZHzNXYjnoz5Q0xmVghG7n PcPKAIpbyzuFjsSsBe2omnDBEiM+koLKYNg5dXCdk/IMuQJk8AmIMnMQ3dE8ioOl 7WCbNubNk8Ook0ytaZ3yhM32JdPq0cVKDm0Cuq7axInFnQEu/cbsAZF05mbpwWD1 pqFyRRw0zuNM0AIpGWsSbe8GeLQMVn9hAp5jViBEEl7mErxo20g+I7OBLUe2M1rB TuyhStf5Ei8jGFrx12IgNbz4ljX5wdBffkttbVSfBv+0LRFj4fl8jSWqW5xaz6GQ MMm4oRImSFQ4UeSWHibIdq9MhjDT+tkwQ5ou8OATAhafCWCxuzUjLEsgtdf6P3Wa e/dildDEMLsONUHpEXCbOvRznek3Nwi36eqLXdrCOGwvZNe0FCc= =28RZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
