On 03/11/2018 16:20, Igal Sapir wrote: > On Sat, Nov 3, 2018 at 3:50 AM Mark Thomas <ma...@apache.org> wrote: > >> On 02/11/2018 22:39, Igal Sapir wrote: >> >> <snip/> >> >>> I am getting the same test case failures as before, so it doesn't look >> like >>> a regression to me: >>> [concat] Testsuites with failed tests: >>> [concat] >>> TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt [1] >>> [concat] >>> >> TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt >>> [2] >>> >>> (details below) >>> >>> >>>> The proposed 9.0.13 release is: >>>> [ ] Broken - do not release >>>> [X] Stable - go ahead and release as 9.0.13 >>>> >>>> >>> Assuming that my assessment of the failures is correct, my non-binding >> vote >>> is Stable. Tested on Fedora 28 with OpenSSL 1.1.0i-fips. >> >> Which JDK are you using? It looks like an IBM one. It has been a while >> since I tested things with an IBM JDK so some updates might be required. >> > > I am pretty sure that I've never installed the IBM JDK on any machine. > This one IIRC is from Oracle: > > $ javac -version > javac 1.8.0_181 > $ java -version > java version "1.8.0_181" > Java(TM) SE Runtime Environment (build 1.8.0_181-b13) > Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode) > > I will upgrade to u191 from Oracle and then test again. > > >> A FIPS enabled OpenSSL might also cause some failures as it might >> disable some ciphers. >> > > I am guessing by the version name of OpenSSL that FIPS is enabled: > > $ openssl version > OpenSSL 1.1.0i-fips 14 Aug 2018
That is very odd as the only OpenSSL branch that is FIPS certified is 1.0.2. > $ uname -a > Linux local 4.18.16-200.fc28.x86_64 #1 SMP Sat Oct 20 23:53:47 UTC 2018 > x86_64 x86_64 x86_64 GNU/Linux > > Should I make a mental note that these are false positives or should we > pursue it further and update the test cases to remove ciphers that should > not be used? They look like false positives at this point. Now is probably a good time to complete the planned expansion of unit tests on Gump for Tomcat Native so we have coverage of all the OpenSSL versions. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
