On Tue, Jun 18, 2024 at 12:32 PM Rainer Jung <rainer.j...@kippdata.de> wrote: > > Am 18.06.24 um 12:04 schrieb Rémy Maucherat: > > On Tue, Jun 18, 2024 at 9:36 AM Rainer Jung <rainer.j...@kippdata.de> wrote: > >> > >> Hi all, > >> > >> when testing 11.0.0-M21 and 10.1.25 I observe new failures in panama: > >> > >> Testcase: > >> testOpenSSLConfCmdCipher[org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation] > >> took 4.438 sec > >> FAILED > >> Wrong HostConfig ciphers > >> Expected: is ["AES256-SHA256"] > >> but: was ["TLS_AES_256_GCM_SHA384", > >> "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "AES256-SHA256"] > >> junit.framework.AssertionFailedError: Wrong HostConfig ciphers > >> Expected: is ["AES256-SHA256"] > >> but: was ["TLS_AES_256_GCM_SHA384", > >> "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "AES256-SHA256"] > >> at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20) > >> at > >> org.apache.tomcat.util.net.openssl.TestOpenSSLConf.testOpenSSLConfCmdCipher(TestOpenSSLConf.java:132) > >> at > >> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) > >> > >> The test was done with the recent releases of OpenSSL 3.0, 3.1, 3.2 and > >> 3.3. All of them fail in the same way. > > > > I'm using OpenSSL 3.2.1 and the test was not failing for me. However, > > it was also not working. > > > > There are two issues that left errors on the stack and making the > > command check fail: > > - Setting a bad value for the random seed (fixed) > > - Then an error supposedly about use of the legacy provider somewhere > > (no idea where this happens, it's now logged [error:1E08010C:DECODER > > routines::unsupported]) > > Now the command check passes and I don't see any error processing the > > command. > > Thanks for checking and improving. I will check the updated version and > investigate deeper in case it still fails for me. I will also check, > whether the test is new, or behaves diifferently for OpenSSL 3.2.1 (used > by you and also by me for the previous release) and 3.2.2 (used by me > now). But probably not before this evening. > > No need to wait with closing the release votes, I guess panama is not > yet a show-stopper for the vote.
Ok, I found the root cause: the TLS 1.3 check becomes false if tomcat-native is not available. Since I had it, the FFM test is working for me. I'll fix it one way or the other. This test has a lot more configurations than expected ... Rémy > > Rémy > > > >> Best regards, > >> > >> Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
