[ https://issues.apache.org/jira/browse/DIRMINA-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Palaga resolved DIRMINA-1067. ----------------------------------- Resolution: Not A Bug Thanks for looking at this and for the hint that the IBM JVM could cache the results of the TrustManager queries, [~elecharny]. Although, I have not got a 100% certainty that IBM is really doing that, having tried intercepting the communication pipe earlier in {{SSLEngine}}, I was able to observe consistent behavior between IBM and Oracle/OpenJDK JVMs, which effectivelly means that this neither a bug in Apache Mina nor a bug in any of the JVMs. So, for others, who might be interested in how to check/test what SSL certs an LDAP client is sending, this an approach that worked for me: Have a custom {{LdapsInitializer}} in your test class path that replaces the default {{LdapsInitializer}} delivered by ApacheDS. In that {{LdapsInitializer}}, create an install an {{SSLFilter}} with a a custom {{SSLContext}}. The custom {{SSLContext}} produces a custom {{SSLEngine}} where we watch all {{wrap()}} and {{unwrap()}} methods. As soon as any of the {{wrap()}} and {{unwrap()}} methods returns {{HandshakeStatus.FINISHED}}, we call {{getSession().getPeerCertificateChain()}} and check if the cert chain is as expected. Here is my code: https://github.com/wildfly/wildfly/pull/10209 > checkClientTrusted() invoked just once on IBM JRE > ------------------------------------------------- > > Key: DIRMINA-1067 > URL: https://issues.apache.org/jira/browse/DIRMINA-1067 > Project: MINA > Issue Type: Bug > Components: Core > Affects Versions: 2.0.16 > Reporter: Peter Palaga > > When we set up a test in which a client connects to the server three times > using TLS with a client cert, then on OracleJDK and OpenJDK the > {{org.apache.mina.filter.ssl.SslClientCertTest.TrustAndStoreTrustManager.checkClientTrusted(X509Certificate[], > String)}} method is invoked three times, while on IBM JDK, the same method > is invoked only once. > I kindly ask for an explanation why this happens. I am not an expert in TLS > and therefore I am not able to tell whether this is a bug in Mina, any of the > JDKs, both or none. > Steps to reproduce: > (1) Prepare > {code} > git fetch https://github.com/ppalaga/mina.git > refs/heads/DIRMINA-1067:DIRMINA-1067 > git checkout DIRMINA-1067 > mvn clean install -DskipTests > {code} > (2) Test with Oracle JDK or OpenJDK which both work as expected. > {code} > export JAVA_HOME=/path/to/OracleJDK # change this > $JAVA_HOME/bin/java -version > java version "1.8.0_121" > Java(TM) SE Runtime Environment (build 1.8.0_121-b13) > Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode) > mvn test -Dtest=SslClientCertTest > ... > Running org.apache.mina.filter.ssl.SslClientCertTest > [22:04:18] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing > certs > [22:04:19] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > [22:04:20] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > [22:04:22] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.032 sec - > in org.apache.mina.filter.ssl.SslClientCertTest > {code} > Note that {{Adding cert ...}} appears three times in the log > (3) Test with IBM JDK > {code} > export JAVA_HOME=/path/to/IBMJDK > $JAVA_HOME/bin/java -version > java version "1.8.0" > Java(TM) SE Runtime Environment (build pxa6480sr3fp12-20160919_01(SR3 FP12)) > IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References > 20160915_318796 (JIT enabled, AOT enabled) > J9VM - R28_Java8_SR3_20160915_0912_B318796 > JIT - tr.r14.java.green_20160818_122998 > GC - R28_Java8_SR3_20160915_0912_B318796_CMPRSS > J9CL - 20160915_318796) > JCL - 20160914_01 based on Oracle jdk8u101-b13 > mvn surefire:test -Dtest=SslClientCertTest > ... > Running org.apache.mina.filter.ssl.SslClientCertTest > [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Clearing > certs > [22:10:42] INFO [org.apache.mina.filter.ssl.SslClientCertTest] - Adding cert > CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown > Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 5.5 sec <<< > FAILURE! - in org.apache.mina.filter.ssl.SslClientCertTest > testClientCerts(org.apache.mina.filter.ssl.SslClientCertTest) Time elapsed: > 5.412 sec <<< FAILURE! > java.lang.AssertionError: expected:<3> but was:<1> > {code} > Expected: {{testClientCerts}} should pass > Actual: {{testClientCerts}} fails > Background: I took ApacheDS to check that our LDAP client code in WildFly is > sending the client certs properly, but the results on Oracle vs IBM were > inconsistent. The code there https://github.com/wildfly/wildfly/pull/9961 > does basically the same thing as the reproducer of the current issue > https://github.com/apache/mina/pull/12 -- This message was sent by Atlassian JIRA (v6.4.14#64029)