[jira] [Commented] (DIRMINA-1067) checkClientTrusted() invoked just once on IBM JRE

Fri, 09 Jun 2017 20:26:29 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16045355#comment-16045355
 ] 

Emmanuel Lecharny commented on DIRMINA-1067:
--------------------------------------------

The thing is that you call 3 times the {{connectAndSend}} method. If you call 
it 4 times, the certificate is checked 4 times (I did the test).

IMO, the IBM JDK should cache the result of the certificate check, thus 
avoiding doing it again when it receives the exact same certificate another 
time, something the Oracle JDK does not do. In any case, I don't think there is 
a problem in MINA, as we are dealing with a brand new connection everytime 
(beside teh obvious cost of checking the same certificate over and over)...

> checkClientTrusted() invoked just once on IBM JRE
> -------------------------------------------------
>
>                 Key: DIRMINA-1067
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1067
>             Project: MINA
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.0.16
>            Reporter: Peter Palaga
>
> When we set up a test in which a client connects to the server three times 
> using TLS with a client cert, then on OracleJDK and OpenJDK the 
> {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[],
>  String)}} method is invoked three times, while on IBM JDK, the same method 
> is invoked only once. 
> I kindly ask for an explanation why this happens. I am not an expert in TLS 
> and therefore I am not able to tell whether this is a bug in Mina, any of the 
> JDKs, both or none.
> Steps to reproduce: 
> (1) Prepare
> {code}
> git fetch https://github.com/ppalaga/mina.git  
> refs/heads/DIRMINA-1067:DIRMINA-1067
> git checkout DIRMINA-1067
> mvn clean install -DskipTests
> {code}
> (2) Test with Oracle JDK or OpenJDK which both work as expected.
> {code}
> export JAVA_HOME=/path/to/OracleJDK # change this
> $JAVA_HOME/bin/java -version
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> mvn test -Dtest=SslClientCertTest
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - 
> in org.apache.mina.filter.ssl.SslClientCertTest
> {code}
> Note that {{Adding cert ...}} appears three times in the log
> (3) Test with IBM JDK
> {code}
> export JAVA_HOME=/path/to/IBMJDK
> $JAVA_HOME/bin/java -version
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 
> 20160915_318796 (JIT enabled, AOT enabled)
> J9VM - R28_Java8_SR3_20160915_0912_B318796
> JIT  - tr.r14.java.green_20160818_122998
> GC   - R28_Java8_SR3_20160915_0912_B318796_CMPRSS
> J9CL - 20160915_318796)
> JCL - 20160914_01 based on Oracle jdk8u101-b13
> mvn surefire:test -Dtest=SslClientCertTest 
> ...
> Running org.apache.mina.filter.ssl.SslClientCertTest
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing 
> certs
> [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert 
> CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
> Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< 
> FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest
> testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest)  Time elapsed: 
> 5.412 sec  <<< FAILURE!
> java.lang.AssertionError: expected:<3> but was:<1>
> {code}
> Expected: {{testClientCerts}} should pass
> Actual: {{testClientCerts}} fails
> Background: I took ApacheDS to check that our LDAP client code in WildFly is 
> sending the client certs properly, but the results on Oracle vs IBM were 
> inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 
> does basically the same thing as the reproducer of the current issue 
> https://github.com/apache/mina/pull/12



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to